Can I add CSP to GitHub Pages?

Only via an HTML meta tag — not as an HTTP header. Meta CSP has limitations but covers most XSS protection cases.

What grade will my GitHub Pages site get on securityheaders.com?

Typically C or D because CSP and Referrer-Policy cannot be set as headers. The missing headers reduce the score.

Is there a way to add CORS headers to GitHub Pages?

No — GitHub Pages does not support custom response headers. If you need CORS, host your API elsewhere and configure CORS in your API server.

Headers

Security Headers on GitHub Pages — What Is Possible and What Is Not

Updated April 2026

 Reading this article? Verify your fix in real-time. Scan your site headers → HeadersFixer

GitHub Pages does not support custom HTTP response headers. You cannot add HSTS, CSP, X-Frame-Options, or any security header directly. Here is exactly what you get by default and what workarounds exist.

What GitHub Pages gives you by default

Header	Value	Notes
Strict-Transport-Security	max-age=31536000	Set by GitHub — good
X-Content-Type-Options	nosniff	Set by GitHub — good
X-Frame-Options	DENY	Set by GitHub — good
Content-Security-Policy	Not set	You cannot add it
Referrer-Policy	Not set	You cannot add it
Permissions-Policy	Not set	You cannot add it
CORS headers	Not set	You cannot add them

What you cannot do on GitHub Pages

Add custom HTTP response headers (no server config access)
Set Content-Security-Policy header
Set Access-Control-Allow-Origin for API calls
Modify Referrer-Policy
Remove the Server: GitHub.com header

Workaround 1 — CSP via meta tag

CSP can be set in an HTML meta tag instead of a header. It is less powerful (cannot use some directives like frame-ancestors) but works for most XSS protection:

<head> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';">
</head>

Limitations of meta CSP: cannot use frame-ancestors, sandbox, or report-uri. GitHub Pages already sets X-Frame-Options: DENY so clickjacking is covered.

Workaround 2 — Move to a platform that supports headers

Platform	Custom headers	Free tier
Vercel	✅ vercel.json headers	✅ Yes
Netlify	✅ _headers file	✅ Yes
Cloudflare Pages	✅ _headers file	✅ Yes
GitHub Pages	❌ Not possible	✅ Yes

Workaround 3 — Cloudflare proxy in front of GitHub Pages

Point your custom domain through Cloudflare (free plan). Use Cloudflare Transform Rules to add response headers:

Cloudflare Dashboard → Rules → Transform Rules → Response Header Modification → Add rule → add your security headers. This applies at the Cloudflare edge before the browser sees the response.

What securityheaders.com shows for GitHub Pages

A raw GitHub Pages site will typically get a C or D grade because CSP, Referrer-Policy, and Permissions-Policy are not set. If you need an A grade, move to Netlify, Vercel, or Cloudflare Pages — all free and all support full header control.

Scan your site headers → HeadersFixer

Check if your domain is on the HSTS preload list → HSTS Preload Checker