Merge pull request #751 from hotwax/104-soc2-fixes

Improved: Added X-Frame-Options, CSP, strict-transport-security and Permissions-Policy headers in firebase config in context of soc2 compliance (#104).
hotwax · Dec 6, 2024 · 279a2c4 · 279a2c4
2 parents f88b709 + 76c50e3
commit 279a2c4
Showing 1 changed file with 55 additions and 20 deletions.
diff --git a/firebase.json b/firebase.json
@@ -11,8 +11,25 @@
           "rewrites": [ {
             "source": "**",
             "destination": "/index.html"
-          } ]
-
+          } ],
+          "headers": [ {
+            "source": "**",
+            "headers": [ {
+              "key": "X-Frame-Options",
+              "value": "SAMEORIGIN"
+            },
+            {
+              "key": "Content-Security-Policy",
+              "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *"
+            },
+            {
+              "key": "strict-transport-security",
+              "value": "max-age=31536000; includeSubDomains"
+            },{
+              "key": "Permissions-Policy",
+              "value": "camera=self"
+            } ]
+          }]
         },
         {
           "target": "dev",
@@ -25,25 +42,25 @@
           "rewrites": [ {
             "source": "**",
             "destination": "/index.html"
-            } ],
+          } ],
+          "headers": [ {
+            "source": "**",
             "headers": [ {
-              "source": "**",
-              "headers": [ {
-                "key": "X-Frame-Options",
-                "value": "SAMEORIGIN"
-              },
-              {
-                "key": "Content-Security-Policy",
-                "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *"
-              },
-              {
-                "key": "strict-transport-security",
-                "value": "max-age=31536000; includeSubDomains"
-              },{
-                "key": "Permissions-Policy",
-                "value": "camera=self"
-              } ]
-            }]
+              "key": "X-Frame-Options",
+              "value": "SAMEORIGIN"
+            },
+            {
+              "key": "Content-Security-Policy",
+              "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *"
+            },
+            {
+              "key": "strict-transport-security",
+              "value": "max-age=31536000; includeSubDomains"
+            },{
+              "key": "Permissions-Policy",
+              "value": "camera=self"
+            } ]
+          }]
         },
         {
           "target": "uat",
@@ -56,6 +73,24 @@
           "rewrites": [ {
             "source": "**",
             "destination": "/index.html"
+          }],
+          "headers": [ {
+            "source": "**",
+            "headers": [ {
+              "key": "X-Frame-Options",
+              "value": "SAMEORIGIN"
+            },
+            {
+              "key": "Content-Security-Policy",
+              "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *"
+            },
+            {
+              "key": "strict-transport-security",
+              "value": "max-age=31536000; includeSubDomains"
+            },{
+              "key": "Permissions-Policy",
+              "value": "camera=self"
+            } ]
           }]
         }
     ]