CSPStatic Security ToolsTooling for static and headless sites
Home/CSP for Cloudflare Pages
Scenario

CSP for Cloudflare Pages

Cloudflare Pages is a good fit for centralized response headers. Static sites can usually use _headers, while dynamic nonce injection belongs in Pages Functions.

Two common approaches

  • _headers for static, cache-friendly sites.
  • functions/_middleware.ts for per-request nonce generation.

Watch for these pitfalls

  • Do not cache HTML with a reused nonce.
  • Account for Cloudflare analytics and image endpoints if you use them.
  • Verify the live response after deployment instead of trusting the repo file alone.