Hugo can add all headers, including security headers, on the local server ( when you type
hugo server in the terminal). It’s pretty helpful for the debug, as some can break your website.
I had a problem setting them at first, but it occurred to me it was a small typo in the documentation, as it does not work well if you target .html only:
read the thread
The documentation has been updated since then, and you can test headers locally with a few lines in
config.toml, for example:
Permissions-Policy = "interest-cohort=()"
Strict-Transport-Security = "max-age=31536000; includeSubDomains"
X-Frame-Options = "SAMEORIGIN"
X-Content-Type-Options = "nosniff"
See complete documentation