HTTP Headers (e.g. Content-Security-Policy) on Pages

[ThatBlockyPenguin]

Select Topic Area

Question

Body

Hi, I'm wondering if it's possible to set custom HTTP Headers on websites hosted on GitHub Pages? I know it's possible via the <meta> tag, which I am willing to use if it's the only way, but I'd rather use an actual header if possible.
Thanks!

[yoannchaudet]

We don't support this feature today so a meta tag unfortunately is the only way.

[ThatBlockyPenguin]

Ok, nevermind then. Thanks!

[nodeg]

@yoannchaudet Are there any plans to support his in the future? I find it quite important to be able to change/add those headers.

[yoannchaudet]

We want to get there eventually. No ETA unfortunately at the moment while this has not been prioritized.

[nodeg]

Alright. Thank you for the answer!

[TonioGela]

+1 on prioritizing this

[thboileau]

+1 as well

[JandaSec]

can I also please vote for this feature. I need to add security headers to my site. Any site created with Github pages gets a Grade F score on https://securityheaders.io/ which is abysmal. Is there any update on the timescale for having this available please?

[ramalhais]

Need to add:
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

These are new security requirements for using SharedArrayBuffer in javascript.

[MeesJ]

This deserves much more attention. In the nowadays internet security headers are becoming more and more important. Currently GitHub Pages doesn't have the ability to add custom headers, making it impossible to adopt these security measures.

[TonioGela]

+1 again on this. Maybe adding a lot of comments will cause enough traffic for the feature to get prioritized.

[jobearrr]

+1 here!
I'm also facing some issues with CSP and need to configure headers for my website.

[bss-dmitry-shmakov]

+100500 ✔️

[TonioGela]

I wonder if this is ever gonna happen

[Jieiku]

I have been using cloudflare pages and netlify, both have free plans and support headers:

cloudflare pages:
https://abridge.pages.dev/
https://github.com/Jieiku/abridge/blob/master/static/_headers

netlify:
https://abridge.netlify.app/
https://github.com/Jieiku/abridge/blob/master/netlify.toml

would be great if github also supported them, would simplify things.

[TonioGela]

would be great if github also supported them, would simplify things.

Precisely. I don't wanna rely on external services. I migrated every static site from netlify to GH Pages and using a single platform to do everything is so much more practical

[sh1boot]

I think cloudflare offer singling similar to GitHub Pages, but I since I'm to lazy to look into it I've instead relied on Cloudflare to rewrite GitHub headers in passing.

You make a good point. I should consolidate on one service and make the full move.

[TonioGela]

Sadly that's no possible though, right? :P

[sh1boot]

Sure it is. Cloudflare can host everything and update the headers at the same time.

[vitar]

To integrate my page, I'm required to have all that are in red: STS, CSP, XFO, XCTO, RP. That feature would be great!

[MaartenW]

This should be fixed by now. If it can't be custom headers, at least add the basic security headers! Please!

[TonioGela]

@yoannchaudet can we get some updates on this? Can this be prioritized?

[yoannchaudet]

This is not an area that is being prioritized at the moment unfortunately.

[mpetagara]

ngl, super disappointing to hear that the security of User's pages who elect to use Github Pages is still not a priority. Meanwhile Cloudflare Pages and Netlify support it. :/

[TonioGela]

Precisely this. Apparently Github's claim is that Pages security is not a priority.

[gossoudarev]

The GH Pages are of great help in education, I teach students with the aid of this service and it would be more than useful to be able to customize headers, especially security/CORS

[TonioGela]

The GH Pages are of great help in education, I teach students with the aid of this service and it would be more than useful to be able to customize headers, especially security/CORS

So bad that @yoannchaudet clearly told us that this is not a priority

[s4n-cz]

This feature would be really helpful.
If the task to support arbitrary headers is too complicated, I believe many people would be happy for now with at least some basic security headers like Content-Security-Policy, Referrer-Policy, ...

The suggested approach of using CSP through the meta element is only partial solution as for example the frame-ancestors directive is completely ignored.

[JandaSec]

GitHub don't take security seriously then?

 
Frankly I think it is appalling that this feature to add HTTP Security Headers is still not available. I posted about it missing back in February and have been tracking this thread since and watched all of the comments and support for it.
 
Why are GitHub not paying attention to security and the needs of their users?
 
In the meantime I've personally had to completely lift my website out of github pages and rehost it in an alternative platform, because I take security incredibly seriously and the lack of this feature is a complete show-stopper for me and not a 'nice to have'.
 
Disappointing… GitHub pages had such potential too…