Hugo can add all headers, including security headers, on the local server ( when you type
hugo server in the terminal). It’s pretty helpful for the debug, as some can break your website.
I had a problem setting them at first, but it occurred to me it was a small typo in the documentation, as it does not work well if you target .html only:
The documentation has been updated since then, and you can test headers locally with a few lines in
config.toml, for example:
[server] [[server.headers]] for = '/**' [server.headers.values] Permissions-Policy = "interest-cohort=()" Strict-Transport-Security = "max-age=31536000; includeSubDomains" X-Frame-Options = "SAMEORIGIN" X-Content-Type-Options = "nosniff"