Skip to content

Remove redundant + stale netlify.toml [[headers]] /* block (fix Header-rules advisory)#102

Draft
maryadawson-code wants to merge 1 commit into
mainfrom
claude/header-rules-dedupe
Draft

Remove redundant + stale netlify.toml [[headers]] /* block (fix Header-rules advisory)#102
maryadawson-code wants to merge 1 commit into
mainfrom
claude/header-rules-dedupe

Conversation

@maryadawson-code

@maryadawson-code maryadawson-code commented Jun 15, 2026

Copy link
Copy Markdown
Owner

What this is

Fixes the long-standing Netlify "Header rules — N invalid" advisory (red on PRs #99 and #100) by removing a redundant, stale [[headers]] for="/*" block from netlify.toml.

Why it's safe (proven redundant before removal)

The site documents a two-owner model for security headers (Sprint B, 2026-05-13) but left a third definition in netlify.toml that duplicated everything and had drifted:

Header Real owner netlify.toml block
X-Frame-Options, X-Content-Type-Options, Referrer-Policy _headers (/*, identical values) duplicate
Content-Security-Policy, Permissions-Policy, Strict-Transport-Security security-headers edge function (path "/*", every route, always wins) duplicate — and stale

The netlify.toml CSP was the pre-Sprint-B version (still listed the removed jsdelivr origin and the old *.stripe.com wildcard that was narrowed to explicit Stripe subdomains). The edge function already overrode it on every route, so it was dead weight — and exactly the divergence risk the edge-function's own comment warns about.

Removing it changes no effective response header: every header it set is still emitted by _headers or the edge function.

What I deliberately left alone

The cache [[headers]] blocks. Their values diverge from _headers (images 1yr-immutable vs 30-day; JS 300/600 vs 3600), and I can't tell which is authoritative without verifying live response headers — so consolidating them blind would risk changing cache behavior. Out of scope for this safe pass.

Verification

  • node build.js clean; validate-dist OK (500 pages); validate-routes ✓.
  • Static proof above that no header is dropped. The real live check is this PR's own Netlify "Header rules" status — if it goes green, the advisory is resolved with zero functional change.

Reviewer note: please glance at the deploy-preview response headers (or just the green "Header rules" check) before merge — that's the live confirmation I can't run from CI.

https://claude.ai/code/session_01UfEkVEJVGnwenskuXuyc6E

Generated by Claude Code

@claude
chore(headers): remove redundant + stale netlify.toml [[headers]] /* …
4313b45 
…block

The site defines security headers in three places; Sprint B (2026-05-13)
documented a two-owner model but left a duplicate [[headers]] for="/*"
block in netlify.toml carrying a STALE CSP (old jsdelivr + *.stripe.com
wildcard) that the security-headers edge function already overrides.

Proven redundant before removal:
- X-Frame-Options / X-Content-Type-Options / Referrer-Policy: identical
  values already in _headers (/* ).
- Content-Security-Policy / Permissions-Policy / Strict-Transport-Security:
  owned by the security-headers edge function (path "/*", every route,
  always wins) — the toml CSP was dead weight.
- Cache blocks LEFT IN PLACE (their values diverge from _headers; not
  safe to consolidate without live-header verification).

Removes the divergence risk the edge-function comment flags and should
clear Netlify's 'invalid header rules' advisory. No functional header
change. Cleared via the deploy preview's own Header-rules check.

Build clean; validate-dist OK (500 pages); validate-routes ✓.

https://claude.ai/code/session_01UfEkVEJVGnwenskuXuyc6E
@netlify

netlify Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for curious-pony-0dec76 ready!

Name Link
🔨 Latest commit 4313b45
🔍 Latest deploy log https://app.netlify.com/projects/curious-pony-0dec76/deploys/6a304415a79b9a0008c334e2
😎 Deploy Preview https://deploy-preview-102--curious-pony-0dec76.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 1 paths audited
Performance: 98 (🔴 down 2 from production)
Accessibility: 96 (no change from production)
Best Practices: 100 (no change from production)
SEO: 100 (no change from production)
PWA: 80 (no change from production)
View the detailed breakdown and full score reports
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maryadawson-code @claude