Menu
I have seen similar questions but nothing that answers this exactly. So I have an application being hosted by Firebase. I recently ran some penetration tests on it and realized I need to add some security headers to the website.
Specifically: X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options. The problem is I really do not know how to do that. Having given it a bit of research I can see that the way to add headers to my firebase application is to add them to my firebase.json file which I will show here:
{
"hosting": {
"site": "xxxxxxxxxxxxxxxxx",
"public": "dist/xxxxxxxxxxxx",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"headers" : [ {
"source": "**",
"headers" : [{
"key" : "Access-Control-Allow-Origin",
"value" : "*"
}]
}],
"rewrites": [
{
"source": "**",
"destination": "/index.html"
}
]
}
}
Do I need to add them to the "headers" section of that?
Sorry for the ignorance but any help is appreciated.
202
Almost complete Firebase Security Headers
Just create your Content-Security-Policy, i´ve used report-uri.com
"headers": [
{
"source": "**",
"headers": [
{
"key": "Content-Security-Policy",
"value": "default-src 'none'; script-src 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' https://www.google.com https://www.google.ad https://www.google.ae https://www.google.com.af https://www.google.com.ag https://www.google.com.ai https://www.google.al https://www.google.am https://www.google.co.ao https://www.google.com.ar https://www.google.as https://www.google.at https://www.google.com.au https://www.google.az https://www.google.ba https://www.google.com.bd https://www.google.be https://www.google.bf https://www.google.bg https://www.google.com.bh https://www.google.bi https://www.google.bj https://www.google.com.bn https://www.google.com.bo https://www.google.com.br https://www.google.bs https://www.google.bt https://www.google.co.bw https://www.google.by https://www.google.com.bz https://www.google.ca https://www.google.cd https://www.google.cf https://www.google.cg https://www.google.ch https://www.google.ci https://www.google.co.ck https://www.google.cl https://www.google.cm https://www.google.cn https://www.google.com.co https://www.google.co.cr https://www.google.com.cu https://www.google.cv https://www.google.com.cy https://www.google.cz https://www.google.de https://www.google.dj https://www.google.dk https://www.google.dm https://www.google.com.do https://www.google.dz https://www.google.com.ec https://www.google.ee https://www.google.com.eg https://www.google.es https://www.google.com.et https://www.google.fi https://www.google.com.fj https://www.google.fm https://www.google.fr https://www.google.ga https://www.google.ge https://www.google.gg https://www.google.com.gh https://www.google.com.gi https://www.google.gl https://www.google.gm https://www.google.gr https://www.google.com.gt https://www.google.gy https://www.google.com.hk https://www.google.hn https://www.google.hr https://www.google.ht https://www.google.hu https://www.google.co.id https://www.google.ie https://www.google.co.il https://www.google.im https://www.google.co.in https://www.google.iq https://www.google.is https://www.google.it https://www.google.je https://www.google.com.jm https://www.google.jo https://www.google.co.jp https://www.google.co.ke https://www.google.com.kh https://www.google.ki https://www.google.kg https://www.google.co.kr https://www.google.com.kw https://www.google.kz https://www.google.la https://www.google.com.lb https://www.google.li https://www.google.lk https://www.google.co.ls https://www.google.lt https://www.google.lu https://www.google.lv https://www.google.com.ly https://www.google.co.ma https://www.google.md https://www.google.me https://www.google.mg https://www.google.mk https://www.google.ml https://www.google.com.mm https://www.google.mn https://www.google.ms https://www.google.com.mt https://www.google.mu https://www.google.mv https://www.google.mw https://www.google.com.mx https://www.google.com.my https://www.google.co.mz https://www.google.com.na https://www.google.com.ng https://www.google.com.ni https://www.google.ne https://www.google.nl https://www.google.no https://www.google.com.np https://www.google.nr https://www.google.nu https://www.google.co.nz https://www.google.com.om https://www.google.com.pa https://www.google.com.pe https://www.google.com.pg https://www.google.com.ph https://www.google.com.pk https://www.google.pl https://www.google.pn https://www.google.com.pr https://www.google.ps https://www.google.pt https://www.google.com.py https://www.google.com.qa https://www.google.ro https://www.google.ru https://www.google.rw https://www.google.com.sa https://www.google.com.sb https://www.google.sc https://www.google.se https://www.google.com.sg https://www.google.sh https://www.google.si https://www.google.sk https://www.google.com.sl https://www.google.sn https://www.google.so https://www.google.sm https://www.google.sr https://www.google.st https://www.google.com.sv https://www.google.td https://www.google.tg https://www.google.co.th https://www.google.com.tj https://www.google.tl https://www.google.tm https://www.google.tn https://www.google.to https://www.google.com.tr https://www.google.tt https://www.google.com.tw https://www.google.co.tz https://www.google.com.ua https://www.google.co.ug https://www.google.co.uk https://www.google.com.uy https://www.google.co.uz https://www.google.com.vc https://www.google.co.ve https://www.google.vg https://www.google.co.vi https://www.google.com.vn https://www.google.vu https://www.google.ws https://www.google.rs https://www.google.co.za https://www.google.co.zm https://www.google.co.zw https://www.google.cat https://www.gstatic.com/images/ https://www.googletagmanager.com/; manifest-src 'self'; media-src 'self'; report-uri https://YOURKEY.report-uri.com/r/d/csp/reportOnly; report-to https://YOURKEY.report-uri.com/b/g/h; worker-src 'self'; form-action 'self'; frame-ancestors 'self';"
},
{
"key": "Cache-Control",
"value": "public, max-age=31536000"
},
{ "key": "X-Content-Type-Options", "value": "nosniff" },
{
"key": "X-Frame-Options",
"value": "DENY"
},
{ "key": "X-XSS-Protection", "value": "1; mode=block" },
{ "key": "Referrer-Policy", "value": "no-referrer" },
{ "key": "Feature-Policy", "value": "microphone 'self'" },
{
"key": "Expect-CT",
"value": "max-age=86400, report-uri='https://YOURKEY.report-uri.com/b/g/h'"
},
{
"key": "Report-To",
"value": "'group':'default', 'max_age':31536000, 'endpoints':[{'url':'https://YOURKEY.report-uri.com/b/g/h'}],'include_subdomains':true'"
}
]
"headers" : [ {
"source": "**",
"headers" : [
{ "key" : "Access-Control-Allow-Origin", "value" : "*" },
{ "key" : "X-Frame-Options", "value" : "deny" },
{ "key" : "X-Content-Type-Options", "value" : "nosniff" },
{ "key" : "X-XSS-Protection", "value" : "1; mode=block" }
]
}],
This seemed to work perfectly well.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With