Merge pull request #310 from hotwax/104-soc2-fixes

Improved: Added X-Frame-Options, CSP, strict-transport-security and Permissions-Policy headers in firebase config in context of soc2 compliance (#104).
hotwax · Nov 25, 2024 · 639730d · 639730d
2 parents 680f215 + 64a0b64
commit 639730d
Showing 1 changed file with 57 additions and 3 deletions.
diff --git a/firebase.json b/firebase.json
@@ -11,7 +11,25 @@
       "rewrites": [ {
         "source": "**",
         "destination": "/index.html"
-      } ]
+      } ],
+      "headers": [ {
+        "source": "**",
+        "headers": [ {
+          "key": "X-Frame-Options",
+          "value": "SAMEORIGIN"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *"
+        },
+        {
+          "key": "strict-transport-security",
+          "value": "max-age=31536000; includeSubDomains"
+        },{
+          "key": "Permissions-Policy",
+          "value": "camera=self"
+        } ]
+      }]
     },
     {
       "target": "prod",
@@ -24,7 +42,25 @@
       "rewrites": [ {
         "source": "**",
         "destination": "/index.html"
-      } ]
+      } ],
+      "headers": [ {
+        "source": "**",
+        "headers": [ {
+          "key": "X-Frame-Options",
+          "value": "SAMEORIGIN"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *"
+        },
+        {
+          "key": "strict-transport-security",
+          "value": "max-age=31536000; includeSubDomains"
+        },{
+          "key": "Permissions-Policy",
+          "value": "camera=self"
+        } ]
+      }]
     },
     {
       "target": "uat",
@@ -37,7 +73,25 @@
       "rewrites": [ {
         "source": "**",
         "destination": "/index.html"
-      } ]
+      } ],
+      "headers": [ {
+        "source": "**",
+        "headers": [ {
+          "key": "X-Frame-Options",
+          "value": "SAMEORIGIN"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *"
+        },
+        {
+          "key": "strict-transport-security",
+          "value": "max-age=31536000; includeSubDomains"
+        },{
+          "key": "Permissions-Policy",
+          "value": "camera=self"
+        } ]
+      }]
     }
   ]
 }