Quentin Chantelot
Hosting a static website (like an SPA) with App Platform is hard because we have no fine-grained control on response headers. Two issues here:
  • The documentation to customize app spec is obscure.
  • After a long search, we concluded it's impossible to personalize custom headers like the X-Content-Type to
    nosniff
    , making our app fail basic cybersecurity testing. We had to move to a dedicated droplet in the end.