From 76c50e3514d541450281fb0c8ad2dabce8bdb6d3 Mon Sep 17 00:00:00 2001 From: Ravi Lodhi Date: Fri, 6 Dec 2024 17:49:04 +0530 Subject: [PATCH] Improved: Added X-Frame-Options, CSP, strict-transport-security and Permissions-Policy headers in firebase config in context of soc2 compliance (#104). --- firebase.json | 75 +++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 55 insertions(+), 20 deletions(-) diff --git a/firebase.json b/firebase.json index c1511ce1..8d8e51e5 100644 --- a/firebase.json +++ b/firebase.json @@ -11,8 +11,25 @@ "rewrites": [ { "source": "**", "destination": "/index.html" - } ] - + } ], + "headers": [ { + "source": "**", + "headers": [ { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + }, + { + "key": "Content-Security-Policy", + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + }, + { + "key": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains" + },{ + "key": "Permissions-Policy", + "value": "camera=self" + } ] + }] }, { "target": "dev", @@ -25,25 +42,25 @@ "rewrites": [ { "source": "**", "destination": "/index.html" - } ], + } ], + "headers": [ { + "source": "**", "headers": [ { - "source": "**", - "headers": [ { - "key": "X-Frame-Options", - "value": "SAMEORIGIN" - }, - { - "key": "Content-Security-Policy", - "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" - }, - { - "key": "strict-transport-security", - "value": "max-age=31536000; includeSubDomains" - },{ - "key": "Permissions-Policy", - "value": "camera=self" - } ] - }] + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + }, + { + "key": "Content-Security-Policy", + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + }, + { + "key": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains" + },{ + "key": "Permissions-Policy", + "value": "camera=self" + } ] + }] }, { "target": "uat", @@ -56,6 +73,24 @@ "rewrites": [ { "source": "**", "destination": "/index.html" + }], + "headers": [ { + "source": "**", + "headers": [ { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + }, + { + "key": "Content-Security-Policy", + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + }, + { + "key": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains" + },{ + "key": "Permissions-Policy", + "value": "camera=self" + } ] }] } ]