From 603a5be897e4405d707a9518ef7ebbfcbf75acb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simen=20Heggest=C3=B8yl?=
 <simen.heggestoyl@origo.oslo.kommune.no>
Date: Thu, 12 Oct 2023 08:52:05 +0200
Subject: [PATCH] Set more security headers

Set more security headers: `Content-Security-Policy`,
`Referrer-Policy`, `X-Content-Type-Options`, and `X-Frame-Options`.
---
 CHANGELOG.md  |  2 ++
 firebase.json | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ce502808c..8f10e290a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,8 @@ All notable changes to this project will be documented in this file. The format
 
 ### Security
 
+- More security headers are now set: `Content-Security-Policy`,
+  `Referrer-Policy`, `X-Content-Type-Options`, and `X-Frame-Options`.
 - Updated dependencies.
 
 ## [3.10.0] 2023-10-10
diff --git a/firebase.json b/firebase.json
index febc09a53..319dd8474 100644
--- a/firebase.json
+++ b/firebase.json
@@ -11,6 +11,29 @@
         "source": "**",
         "destination": "/index.html"
       }
+    ],
+    "headers": [
+      {
+        "source":"**",
+        "headers": [
+          {
+            "key": "Content-Security-Policy",
+            "value": "script-src 'self' 'unsafe-eval' 'unsafe-inline' apis.google.com"
+          },
+          {
+            "key": "Referrer-Policy",
+            "value": "no-referrer"
+          },
+          {
+            "key": "X-Content-Type-Options",
+            "value": "nosniff"
+          },
+          {
+            "key": "X-Frame-Options",
+            "value": "DENY"
+          }
+        ]
+      }
     ]
   },
   "storage": {