invalid header rules due to exceeds the maximum allowed length of 2000 on CloudFlare

[codeflorist]

Environment

------------------------------
- Operating System: Windows_NT
- Node Version:     v22.11.0
- Nuxt Version:     3.15.4
- CLI Version:      3.22.2
- Nitro Version:    2.10.4
- Package Manager:  [email protected]
- Builder:          -
- User Config:      runtimeConfig, modules, css, vite, eslint, storyblok, booster, i18n, postcss, app, image, veeValidate, site, sitemap, cookieControl, nitro, compatibilityDate
- Runtime Modules:  @storyblok/[email protected], @nuxtjs/[email protected], @nuxtjs/[email protected], @nuxt/[email protected], @nuxtjs/[email protected], @vueuse/[email protected], @dargmuesli/[email protected], [email protected], @vee-validate/[email protected], @nuxt/[email protected], @nuxt/[email protected], [email protected]
- Build Modules:    -
------------------------------

Nuxt Security Version

v2.1.5

Default setup used?

Yes, the bug happens even if the security option is not customized

Security options

Reproduction

Description

Many thanks for creating this package!

When building my app for hosting on CloudFlare, SSG prerendered pages result in the following warning:

Found 22 invalid header rules:
  ▶︎ Ignoring line 15 as it exceeds the maximum allowed length of 2000.                                                                                                                                                     
  ▶︎ Ignoring line 32 as it exceeds the maximum allowed length of 2000.
...

Looking at the generated dist/_headers file, the content-security-policy header and specifically all the sha256-hashes seem to be the problem.

Here is an example:

  content-security-policy: base-uri 'none'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'sha256-iI4hg7QAwTAOgQ8GPnGBD2tbtgMP9fKn8Bbd4jMVzuQ=' 'sha256-9ocTIEyj2LD1TLEZueeeLmax094cXpSmWja18jG2MKw=' 'sha256-txDvJsTLV/6i1zmOdtyVSzv2RLT6MkALP2DDZqmtCD4=' 'sha256-QvQBjbj2aQY2P9qTWwSytonvotg/78METR6U18ggmkM=' 'sha256-g6IsjQHgKALf5QtDySRTgavUSFYe0FfgDyOdLkzsLwc=' 'sha256-fDvWSMyiCDTo5V7EOLKIsWRCl0jJ+oo6ZjjheIsIRls=' 'sha384-wS0pwCt2O2Z78uJ2Dt/9VbekDqktXMLCdtCz8N97jjbnLG1rr+BcSUgZ/vwcjdjH' 'sha384-k4UdjGxjYP51P8Tk3zZSBXgIhN/ypp+kR3F6CJ9M0bS+RH1NryP6zXjkF4xDf9xq' 'sha384-wccKJ/4BC5m3ehM4gCUX+2sBHbK7DkJrZt0G1oiALkf20kaLg9GjUzx5QgSYffzg' 'sha384-qt6R7Y/IhnJkH8eXsx5YYP95W9juo1tKz7441LYReshJ8viEd4rD1kUDwasswLnZ' 'sha384-wV/FyIfkoKuneA9gx32UbcC1rWydYJhlr+cMCHu0oN57ZtVcBz8nUCI/A5rPOyHo' 'sha384-4pjM4Swl3h4iRGIa+XTUXtB6pH3UMLWa7wbfmIa3o6Nzwgp7snMRTCprqh4AHXmH' 'sha384-7xjCRlnH52ea1Vocz59ViAU438KXQ6dj+s881bpfteMnWGfu3coLMWMmdlq1kuCD' 'sha384-+zui4e0mIo9PwsNawRiI4BGmd8PxEqQtnYgTsw41/ohi8wqmeDVsfBJ2tTqX3pDS' 'sha384-s5SlgG89nAWKqQFrfkcNn1ROi7E5uph67fTd91vBUv9mnaTtRGUcgGP4t0BcsqI/' 'sha384-SrrLn8xsRllZk0NLUKN4SMBFTRQ3zhANIP8G3e9brG1TQ8SyHaJT/M+JuG98THtT' 'sha384-6VHtGd1Pf2qam4kYchM2gk6O8iwG9p3kFm4nOU5KrFLjH3x/qq2VmPxBOLScOOqw' 'sha384-sbOPY9Eij1uVhZUql23WTcuUHzBhM+5uw7sg1vvskDZZMRHhGC5VU/tiKrMFeD2t' 'sha384-YpWY0x+6yJRsxZsaeQP4mWRZ2k5aEEBS89nbqvSQdOX4dVodFpx/jmYcrjHnibXo' 'sha384-/9DTJk8688GJ6seSZEExlFkZz92DztIEMkTWbOPwS+9u1ZdIPvcMQHfLZsnjWUkp' 'sha384-d/mEnehgaHRQSrYs/ON6uRprPvCuaqcN6qdevZKh0ou/zI4sa51Ftc3ALYa3zqa3' 'sha384-4BvYilS1zbWiXvGOHmYq8Fq8Qc7OXW4kdAJBAhgaxR78sJMUqcxdidRpoC17aegH' 'sha384-y5iW4mN0lDelR3adkh0dHMjPIvj5mFOLHMT1TK4fWLnxFienPN93HGgblGdK22Nv' 'sha384-UbhjCLXwzpwWMs+68WBJySSKHM8bbExICGD3spI4Jlf2iMHD+oEZSgLcp0IRJ3AN' 'sha384-dYmk1RUcCeq1fuGrw/XoteYPXovsowUV7m8KtPiZK6BV/Zvfbewdz1tpxzd4liG2' 'sha384-ffhsnYBxmp9xTiR+QL9uATm/9XX7Sk+R2BY0DOEowtPUCNrBgnqQggBZ2sP8KLDL' 'sha384-u2LkzVY7W7aL0y/yZjjJ9fZdwKtxzn0xcV7BIsNyyDBS5QUYxR0ibTsHo6tOnaNm' 'sha384-6FscCbUsGL7CSxjopdGh9ZpT+Ew8wMN+n3lxO1FwxOfMXjvu0PSz/miSucxXlXn3' 'sha384-2QhSu8/ovtcFhX8wbmdb5X2kjTpG+w1t59bzN5p/M2XMlBiHQD4A6yLGWTtfVV4q' 'sha384-YThRAOXo64KmbPA0LNmlrHg6k5jRLPFL96wjDfwGT4BlcaD0L6ZGuy2ZT4Pqlj2y' 'sha384-W6utHrDLXAo/1uudU2nbwAtO2PMLs12UY0P8KS/Et1biW8v2RvIM18TWAvxIWHWv' 'sha384-fOmqA0FE4i2HhGeTvzlC22zytVgquY/Yza7kgHEsOozz97OTk566kU7XrydMvC/K' 'sha384-ocHv98Xga3CxL141uFiYmbim/jPSqOLX8TPdfVBNokrKrz0k4hYS/ksWWjVUqJ5s' 'sha384-fKnuKub6cZMSFypG+VsvyMJi1V68JV1CgCEDkmHzYXTuu87583Hc3w91xoi9BFZu' 'sha384-LYRjRd+SBylBViYuqPZv4lvthfiLq4o15sWv2AqlYEeoRWdJQQ/gVl1PYq2tnl5E' 'sha384-8d6IKkfZzs7X3/sRZb8P/ipLao714YQ2ETQZtXCWxYdag0qtfh+pH/Y6C2ssF+yX' 'sha384-TQ2xy14lO+BOzx4ELx/GKfD7IH+kiig2CmI3HzCe4o9fkex+sahpz2fOQmlt9n8V' 'sha384-F25agcVMmWq42WXWGds6VVrawFc1Fh7sYc/t5ckjnqRbjCJzgXu7CojCQkHSUi7C' 'sha384-zApSQE6SoOhvMny2HycJ/eNbihFVJiYkXDpo+1uvk4gjZkaAc9d04SwNhWqUYLDs' 'sha384-nO/s6NKHySswbaHkJ4kdfib55k5xHCJ6Sjiyw6jQtYrpuKaGPQvKYmhnuD21BEI3' 'sha384-xd69HZj9+gkH70MI1dIOZww2/aE0Y9hJ3N31Ik/1Ggo0+Z7EoVgm/ckB8qK8K9x0' 'sha384-xTqosyQ2jUaJGjs1n/KetJYR7h7YfF+huXEJGWQVE0f8YA1ft/w0t6WvuzebC+Yg' 'sha384-ow5InQuO7DRrsXQ8Ir1puK+cw8pHWba7TAogwLFiyE7gijbzywin/IGkFPlIgkoY' 'sha384-KhLg3wtB9ak2kNcbEU2f0nCwRIpSYOwp3xAJIDQOT23mvbV7nCBesGJ3EVopich2' 'sha384-6WZyJkANXF9sA4M/AhbxT7aFafnfHefEXBorrW3LyaYgN5yXU6Xfcqy0NnT3hrWP' 'sha384-sSxbSyPFshm83AsAXKE+xLICnXYdpVu8GS/NTQ85tLUPQcGUEG5BuaUc7aQA9D4V' 'sha384-vPBxYgtdMbY9gBENPzUwBBodp0a/swuZkTwJCEyKp5o/yj3tu4mhz0kXNS/uYsmD' 'sha384-1mtP14lfmKiglC7O1dM6/JXDFejj7QAjup72sOiCJJXpSBVAR+o27uJiLUiK684Q' 'sha384-OFENqS74QX30EUnLDRCEFm0Zd9hmF7PyeauG6/SJ5FODXbxwwKguz86RL4XQl4u0' 'sha384-7zqYo656QcwjKapWDscsC3Niw6DfDDU08p0DeQZpMJEJiEFPxC0h2aLCbKD/N3Ea' 'sha384-ZRvFiFkYEFKNBORPNhSq1ElcOoXcj8Ft1YsDYAOtBsVGjnWzPE9+U7qugGchbNVN' 'sha384-EmutaveclJGXY9yOIPwnpjY2CYnjXgTB02J4ELkXH5SLV28oLHtTtgv3HWXi0vE9' 'sha384-bGmYG+8i3EUa1ur585NFX6sgIyRanCuzx93kj4whbfpZRHppysO75XS5HMv/YuJh' 'sha384-61hxbia5IHkEOwt5LU/9SZD5MCsjJc1RkO5qRFGqYzqlfsa2Uk1YihnlGjdRIDBt' 'sha384-rd36lbwWDQNE29MQNtWELIxCqdSFBwfM1JO60uTYzRwIvDIEdG2lGMSFQJCSMZNQ' 'sha384-75MGZlVmvnOpqWMsB6x5CNFD6Pl3Lr/hwj2z8PquYN8KTI1QOYW59qLx1J7xE36P' 'sha384-i+3qMXHLwa9zUbaJkqD31SJDYOGPwrt6/Ksl81Gwh6PxhHH0AgyF8HeW5yIGW36O' 'sha384-a2z0VmhmSNNLgGbB3GMoWcNUn5OkMEfjMVbB1yXVTNbS+1EbmZS3ffg0bANj5/ju' 'sha384-oVqAB7gNpb0o2Tcr0fk4QhQHzrj+yI/tIZKI7Oqh1JEITTVf4d/6VxjZtpRHUokR' 'sha384-UutZGIMbqsYnW23T61GcgM/Ma7CnXlOqlwTvlQURACe5b20PZGE0JKYnNSlNJ4hh' 'sha384-jt8sCKJveQdzHZ56SjOgRUZg6159qsjdhDdTwH5jFYVg2MTtJuKjPgMcBTsZKAJL' 'sha384-cbXkRE77Cy4DyhFpkC8tBy6YRVRvbxKWHigYdOsIbCfDuSwwQ5YlH6ei4Wlu94AD' 'sha384-cVr50DCgBt0g18Atx7c8b2lJb0KHwokYUN2sQHdlG1BeqUFgjFUQW2wG1GTYg1cg' 'sha384-eJwQhYIDwufyovPSWtNpfRDF394Kt1PR8koVQNDEkxxqZ5GrF1woGO9sdNhpDyk0' 'sha384-AvFVoGVsniZ/eY0JXA/mvNwgQFLajTg3VqTl1eRGUzAA3dvZiG31pY31kQNFeRpB' 'sha384-Y7gbnxhDSl01+v+gXacf3zV/ZR/bhD1jW3i4J/6rIXE1lm0jcyLAL5K9n6gCc576' 'sha384-kTD8kUR3Gph50qt7HfVHa+ndBGJFT7ZxtFTwktaXUoU6yI34KorOpMx8g3w8bv8R' 'sha384-HwNmF+qkVhi/ui7rxJ6tB6CsIPNINHTIb+rNpxzAP5RJSFd/ghmSQpfGnOyBD1h2' 'sha384-3BL1AnYwG6o+PSd5KVPzst53qDKTh0RZ21mbVa7eAjUXZdXmK/u8x46kLZGqiZvb' 'sha384-aT9biVpnh4hEFv0sNCkfWEr1vHlohe7Ad4NnikLTSKCkBi9/hdN1R4SkZH4SrWsB' 'sha384-XSuKUD4rTMfnv4921FGVSmUrxoFP7T1Hve4NYK9mDa5bPjNrXsuw2MV+9qzxjT+7' 'sha384-IS7gcaCak4QPjjC3v7VhKzoyh98f3iEhB3/s4R0VIiASSl4qTTukoSiyckKQpeVO' 'sha384-CicExUX13VC4w7wa4Rh+tt5wjvz5r00oUmhp2gyAB7DeUIGMPcF/hXZnu8eqwxKE' 'sha384-PjF1KZbRGNSuE91ZFgjyYmTgymxQuOJWFt/Qi0yRwyz6/gRxMUzVcDzKXCzT/4g9'; upgrade-insecure-requests;

Is there any way to mitigate this? Should i simply use contentSecurityPolicy: false?

Additional context

No response

Logs

[Baroshem]

Hey there,

Thanks for reporting this issue. I think it is a duplicate of #504. Could you share your case there so that we can keep track of it there? :)

[codeflorist]

Hi @Baroshem,

I saw that issue, but it's a different problem.

#504 is about the maximum allowed count of header rules, which is mainly dependent on the amount of pages one has.

This issue is about the maximum line length of a single header (specifically content-security-policy), which seems to get problematic in SSG generated pages, because it exceeds the 2000 character per line limit pretty fast due to the multiple sha256-hashes.

I assume, that such a long header might also be problematic under other (non-CloudFlare) circumstances or environments.

[Baroshem]

Ah I see, thanks for clarification.

It seems that as you mentioned it is caused the the SHA's but based on my knowledge this is how it is supposed to work (generate SHA for each script).

Please correct me if I am wrong here @vejja - can we somehow provide a fix for that?

[vejja]

I see
The immediate fix for you @codeflorist is probably to set the exportToPreset option to false (under ssg) - same as #504
Separately if you can post a screenshot of your html head section, it would be useful for us to understand why you have so many hashes?

[codeflorist]

@Baroshem, @vejja
Many thanks for the help, you two!

ssg.exportToPresets : false gets rid of the warnings.

Here is the head (I've removed all <style> elements due to length):

  <head>
    <meta charset="utf-8" />
    <meta
      http-equiv="Content-Security-Policy"
      content="base-uri 'none'; font-src 'self' https: data:; form-action 'self'; img-src 'self' data:; object-src 'none'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'strict-dynamic' 'sha256-ivIk8jaIlJqI/VSuZ8WHKfP9c9l7LuFY9r+imeCj5ZU=' 'sha256-s7Gxndj2Fs1Svxn4Ebnl9mbhGNWS24dfQiqkJqtLORg=' 'sha256-txDvJsTLV/6i1zmOdtyVSzv2RLT6MkALP2DDZqmtCD4=' 'sha256-QvQBjbj2aQY2P9qTWwSytonvotg/78METR6U18ggmkM=' 'sha256-g6IsjQHgKALf5QtDySRTgavUSFYe0FfgDyOdLkzsLwc=' 'sha256-fDvWSMyiCDTo5V7EOLKIsWRCl0jJ+oo6ZjjheIsIRls=' 'sha384-4wfGye9ie622jNW15gO5XJswu86+pVupqh1XnmnepYG2aQOCInQmWmfdyLeALaGe' 'sha384-E8i6wIfdEhoGSk4bMkt1GrgOmzMuiLf7EB4ldCa8ASpWBcAPBiEEr7jMnUaWsuZH' 'sha384-9FxzviiYaqUCfhqxF8B9ohvdX6Z8l+5611aYFT55IU+/1nucWqaIReLX/DZYFKUb' 'sha384-fRUoyithyogf7jb+MfZet6pUKd19S0jSC52ohqKtbty12KYrVBKGECaQ+gonUJ+5' 'sha384-wV/FyIfkoKuneA9gx32UbcC1rWydYJhlr+cMCHu0oN57ZtVcBz8nUCI/A5rPOyHo' 'sha384-ToawDtXs5JMLQozIv2MRp2tOUzWKnoontSmC/9KaQeRpYwGLR7HQVgQFAs8Jb4mV' 'sha384-eOtbXiZTy8xAmrVNPt/NyoFI1LZqPegwRSyOCkmJezrmOerB+aI22hkOeZTPuSR+' 'sha384-i8pwAPYYgqzaXtUXJ+oVFazfupcSSLkyTdcwqjLwj8E+7r6h1jR9aTEI4xg+yYuM' 'sha384-LalqKzJxrb/AsvIqdwTNMpu53c/4SRVwvsjkkm8//wB1mIei0cti8MphRkOZsYv/' 'sha384-ZATK5wueae9xHCqn6GVSqFRE8a/PPmte2l3YKpANy84TEOn7WDdVK/2H8aZlZChc' 'sha384-4O0uR16qWHMD/lgD6laTNSkIpgPGciTv9JHMSPiJTiG0qatbqvz065G9QHNW12ws' 'sha384-CdL3nOcUm+6vAWfFp7Q//ZGn3i7GCMMEIqSwI8FgtdhQh7GlTWGmW5h/xkJIDDcq' 'sha384-4iP93nV+NLFIO3Qjggb5BnhsRmbRDvELHHObG2vBitsUolm/QqPac8tcvvuwvW+g' 'sha384-/9DTJk8688GJ6seSZEExlFkZz92DztIEMkTWbOPwS+9u1ZdIPvcMQHfLZsnjWUkp' 'sha384-Lw3xtYYlNU4+zEPJdB4HK7Sq2QrIGVlemgERPueGH7mC2T4jjfiLLpjfqf13XyLQ' 'sha384-9z2pWQrhs2hZn3Jlea91hV6g6pJbAyYjeI2Z9Ll5G3gUV8OjlPZwbwBfARHoZVTh' 'sha384-/aE5nQaiFTRdC9EHkbMoqqYsRIuy0242XUO5SdPqj6kl//j7wp9RV4uG+8cudjkI' 'sha384-v4B7QXnb60+7Sc8ne7vrUY0qPc7uefiWe3bNrmCbNygn5RGBc8zH2Km7Pt0Q4VJH' 'sha384-nSXIYbotrKOyw7dKNmfvUIQoXjFvuvTL/4Jv7FvRiwH+rLHTYYRX13/nAjnd2Xev' 'sha384-Byq1/DPIOaGtsB+qXp7fNq/smaOUtaquZNn/by3F80iTD3lGH8Us0xrjb4JzbK5x' 'sha384-E4RV4R94AN+VZDZTetW4v1iCt/o8Q0f+9tciIxOQuSxEYvLHdcAT4i8Xz79Xguyp' 'sha384-+GtwRNWOXDa+bSIl3qHFtxmh1wDq9BRQr0b13HBTCjBmiVOMRmSfoEgFbjmgQZre' 'sha384-b5kNi2Wlg0ovx0wVdnlYFET4TT5e5Htz3FHuWf689AFbXpq2V4yOEdoW+CnXRwxp' 'sha384-ILIrvqtvo1x+HgZQrFnAyXRUkxmS/Fkx7WFuLHPHIp6OzE3CTM4hqHv6J68dt/lc' 'sha384-PcrU8+tNkthCJODWZy/D9673qhfQtGDA0f4XA9/xpJm3j+7uyX5p6FYMOS+BO4pe' 'sha384-jkDN3FHWmUHWHisR41EPvjfc1GKDS34FLG3Tlbsofu7cJYIWnozlNcSfWbRx38l9' 'sha384-KKt10WmsQtMibpBAADKV16neETLstN3jEy78NJ1phd4ThNf2erUrjA4x0AcISGZv' 'sha384-IsSoHmhQsLTZPfsFZwDEt+8sjz4OQBLfuArFfskE8kMUxixWNn/M9VM20GweuegN' 'sha384-jMM8GbrPhO+Pi6/80v78tow7j0J8TZxt9Ls2G5jsIQe3ALG8V4epeeN0oLodQCJs' 'sha384-MSebpXxnI/yY3W4zideRHIWbRG7tmljpVX/+6L5jOEfdfw7kHTWVef0mWqMakLuY' 'sha384-9HbXC8OXnQ+5xQvr59JvCAVaKnRBVyvRJSnmqGGqZtyoTzJ50ORpYGD6nu7nriPw' 'sha384-px31bpw7yAqqi6jGA2nO89IHVQvaj7RoM6K8T0Wy5S125iUahMHpS0ZZHZ923SNp' 'sha384-PJVWdjp3lzCL6BO9e2nTrEK9leixxkfK9bo190T/dRZHvmvuvhW89r3C9lbd4OFq' 'sha384-nOEOZrj+MWblBbzsduUE8jzvOUtc3MtRsiZtuwObrEp/fuOhgsJBfAJpPsv/LLK3' 'sha384-27h6IUllCXJziGET9fTSGZIyMTBGHrRUr6H27kHsQjPUwsnL5bNZhshnlPFSd3DQ' 'sha384-GAx/iuUPR9tQZeq3dd9OyRJDOzQ2a+GxsQGRVvJIP8uqxU7qx2PiZB2aWdT37fgW' 'sha384-P0v0X0QGjOCfoI+MVisD04qzwW0xpOp/rWzUUG/lNIX2Xa0z5rtabqCmspkp2oeT' 'sha384-kuYJeRj+dsasQ5/QiNHEoLtf04VXRamZSIv24gjj3ef+LcJNtLTvTB8DeZY9QgoD' 'sha384-hO0leGx734Q/hZX1DAUamXdh9M4ZA31bqgrVEKctjci2lR9EZ3qlBSht4VNGNJvj' 'sha384-F0ins2r3iu79Yu0QetQvDgMsP0GxxsQmqL8ufObGkD/BgkuJm5jUOoVy+wcm37en' 'sha384-CcZry2mYpVh+MES4dVxU0vFqnmX8i27KX7BAnQHr0mmeAlFuPvxb848Hm+IF8Hwm' 'sha384-9qr+4mSgebAr4QuOaVr4/gGLos5oAuhgQuJIe26fIYGsInwDO/OI9E35QW6tCJqR' 'sha384-0p4wtgPn0yvWpXelXDrqJrv6YSblHKSjH+PLCNYWmnBr2VtBqkw2PWk8LQ7QBqCe' 'sha384-DeMQTbAo/oIdy3zjFYsM0y/yrcFjgHL2IbRjv2E0OM8/y3FCQxDu8kfByWdvohuE' 'sha384-LExiycu6nWWrzEe5k9x3MJ+5lP1N4DY1xm22UYvp5wwe1dHmcv6KRUpN8meMdEHX' 'sha384-ezdF3xYX0wqStS0czRbFIpZDW/GO0NRkAY4vJ8eGPnj2Bqo8v8ItqJ2EJ0otz6YH' 'sha384-w+Ls1MsdN1At01PWQPcqdlRa0cidf8BKYnbm0P4embuUsDU1TaPmUn51AS6+WFWJ' 'sha384-9VagSRhMX7lYLGc8uPLRxEp+bYOhqNdM/hLEb6c1XShnOct1wL+HnK0Od08oJM77' 'sha384-im2eUYDaCZj2BDk7PwV/bqZI9gaAY6jjuj09wcJu4DOslJIAw5ymPjR4FbGxVLMc' 'sha384-qKsg5apG3MtuiWzl3YIk6MwZ2Hc+xyoQVldfEVKxJtMBPmY7qgvAyV8acdzQ2cM8' 'sha384-KfIHTvfRu4YqaiC9YMgOs6qaTHQz5xK4SgFVKlKIrwCj7hd4b5O+viaDekLdyhMR' 'sha384-hwn7dmNY0OjvChuWFnoLQiwmYUAQG/HcdKM/BvNWdM/swDhTEsj3awrPU05MGqb8' 'sha384-tkNtzNa1L1PG+k8QQw2nmiZnb3UKnEekUWx/tluZetEg9/2GXzR6JznC1T9XApKp' 'sha384-zqj2CyrWkHcNoaGr9z2bC924ULs5Tyq+xd0+IwZkhrsAOb3eKU3VFRDX0iG62Wx6' 'sha384-RtHhG9SmFW1SjDAS5DPsH9hDbRBZqa9ChJ7NqLNlmhw8Abe2UblKZbB+5jGPmDTG' 'sha384-Y+rV66sdKDeHPxG8OvIev4Xx9EuRJtZ0P0pIZTil0F5rN5K4NyYiPuFzxhaYs3dH' 'sha384-ouh7Om/Q5zcUnQYt3r6llk595ivHNd6SLBcz1uogo5JVuPNs5w7NBqbiykGsVzlh' 'sha384-+UeJEe0IV5Nspp4IeCIKxwlzw7OS82naNcsgtTZcanl3epOClvxsJURduWSewUoF' 'sha384-fhPhR2AjGhHGTtSK01bGrHrq/OxN4z0sRAx5+1ThP71MsNmJZ+DJT+OMP++nLNC4' 'sha384-J/eWaql+gMHVxP+BhqRICbr23pGCBgffKy0aIbUhgH7QrHT92jmHIqoXvKJn8ogU' 'sha384-TQv+iak/+zVj3bNMsuk6ml0Vlq4H8H7CjxXGyh+4sHpcZv2m2AliKQXpS7r9pq0V' 'sha384-YdbkcLQXkN3f7EXkc3GNqKyA5KnupxUa3f+Z/Jz4feBQ9q1zRuS3QtP0Lk2+GH2a' 'sha384-3nREccX5kofNhkL45NzofJFWNTnbWqZkwXt3+/56fnSdH5mU3UfcjuyP92yZJc8K' 'sha384-MvIB40081t78tAmeEgXeovkzpiw1sw7aYHGXEshaIPUakruMbepSE0+xhIoSrWgd' 'sha384-FEs3yfhdBo6v8Qz0cz4ZmY41DAI2kfCN5s9jSoN6Nq5ZlPEbKm0MEFt/39mcfXCt' 'sha384-OmH0m6yVy2O+LkDsjv34Bmqe+/IdvWg+lQQugedxLrB6hQd+wNF6TMDdjcohEVbi'; upgrade-insecure-requests;"
    />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <title>Home - My Website</title>
    <link
      rel="preload"
      as="image"
      imagesrcset="/assets/images/639x426/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 639w, /assets/images/767x511/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 767w, /assets/images/1023x682/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 1023w, /assets/images/1278x852/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 1278w, /assets/images/1279x853/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 1279w, /assets/images/1534x1022/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 1534w, /assets/images/1535x1023/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 1535w, /assets/images/1920x1280/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 1920w, /assets/images/2046x1364/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 2046w, /assets/images/2558x1706/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 2558w, /assets/images/3070x2046/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 3070w, /assets/images/3840x2560/smart/filters:format(webp):quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg 3840w"
      imagesizes="(max-width: 640px) 639px, (max-width: 768px) 767px, (max-width: 1024px) 1023px, (max-width: 1280px) 1279px, (max-width: 1536px) 1535px, (max-width: 2048px) 1920px, 1920px"
    />

    <meta name="msapplication-TileColor" content="#aa191e" />
    <meta name="theme-color" content="#ffffff" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96" />
    <link
      rel="shortcut icon"
      type="image/png"
      href="/favicon.ico"
      sizes="96x96"
    />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <meta name="description" content="This is my website." />
    <meta name="robots" content="index,follow" />
    <meta property="og:url" content="https://my-url.example.com" />
    <meta property="og:type" content="website" />
    <meta property="og:site_name" content="My Website" />
    <meta property="og:locale" content="de" />
    <meta property="og:title" content="Home - My Website" />
    <meta property="og:description" content="This is my website." />
    <meta name="apple-mobile-web-app-title" content="My Website" />
    <meta name="application-name" content="My Website" />
    <meta name="twitter:card" content="summary_large_image" />
    <meta property="twitter:site" content="@my-website" />
    <meta property="twitter:creator" content="@me" />
    <meta property="twitter:url" content="https://my-url.example.com" />
    <meta name="twitter:title" content="Home - My Website" />
    <meta name="twitter:description" content="This is my website." />
    <meta
      property="og:image"
      content="/assets/images/1200x630/smart/filters:quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg"
    />
    <meta
      name="twitter:image"
      content="/assets/images/1200x630/smart/filters:quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg"
    />
    <link rel="canonical" href="https://my-url.example.com" />
    <link rel="alternate" hreflang="de" href="https://my-url.example.com/" />
    <link rel="alternate" hreflang="en" href="https://my-url.example.com/en" />
    <script type="application/ld+json" data-hid="6553f88">
      {
        "@context": "https://schema.org",
        "@type": "WebSite",
        "@id": "https://my-url.example.com/#website",
        "url": "https://my-url.example.com",
        "name": "My Website"
      }
    </script>
    <script type="application/ld+json" data-hid="5bc3eb6">
      {
        "@context": "https://schema.org",
        "@type": "WebPage",
        "url": "https://my-url.example.com",
        "inLanguage": "de-DE",
        "name": "Home - My Website",
        "description": "This is my website.",
        "breadcrumb": {
          "@type": "BreadcrumbList",
          "itemListElement": [
            {
              "@type": "ListItem",
              "position": 1,
              "item": {
                "@type": "WebPage",
                "@id": "https://my-url.example.com",
                "url": "https://my-url.example.com",
                "name": "Home"
              }
            }
          ]
        }
      }
    </script>
    <script type="application/ld+json" data-hid="758233f">
      {
        "@context": "https://schema.org",
        "@type": "ImageObject",
        "@id": "https://my-url.example.com/#primaryimage",
        "url": "/assets/images/1200x630/smart/filters:quality(80)/f/289247/1920x1280/46ffc05d85/architektur_204.jpg"
      }
    </script>
    <script type="application/ld+json" data-hid="7fe4105">
      {
        "@context": "https://schema.org",
        "@type": "Organization",
        "name": "Adwerba",
        "legalName": "Adwerba",
        "address": {
          "@type": "PostalAddress",
          "addressCountry": "AT",
          "addressLocality": "Salzburg",
          "postalCode": "5020",
          "streetAddress": "Schallmooser Hauptstraße 85A "
        },
        "geo": {
          "@type": "GeoCoordinates",
          "latitude": "47.80827789588115",
          "longitude": "13.06094056931345"
        },
        "image": null,
        "logo": null,
        "email": "[email protected]",
        "url": "https://my-url.example.com",
        "telephone": "+43 662 64 31 25",
        "faxNumber": null
      }
    </script>
    <script
      integrity="sha384-4wfGye9ie622jNW15gO5XJswu86+pVupqh1XnmnepYG2aQOCInQmWmfdyLeALaGe"
      type="module"
      src="/_nuxt/MSjzoOib.js"
      crossorigin
    ></script>
  </head>

Let me know, if you need any more info!

[codeflorist]

Hmm, putting this in nuxt-config:

	security: {
		ssg: {
			exportToPresets: false
		}
	},

... results in these error messages:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src-attr 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

[vejja]

One of your modules (or - less likely - yourself) is inserting inline event handlers.
Can you have a look in the console at who is the culprit so that we can refine the analysis?