From 3e7a6d1eb2f654972bd433b5afd5ed2a48917bc4 Mon Sep 17 00:00:00 2001 From: Ravi Lodhi Date: Wed, 20 Nov 2024 10:55:45 +0530 Subject: [PATCH 1/2] Improved: Added X-Frame-Options, CSP, strict-transport-security and Permissions-Policy headers in firebase config in context of soc2 compliance (#104). --- firebase.json | 100 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 95 insertions(+), 5 deletions(-) diff --git a/firebase.json b/firebase.json index 37e88fe87..b90638e47 100644 --- a/firebase.json +++ b/firebase.json @@ -11,7 +11,25 @@ "rewrites": [ { "source": "**", "destination": "/index.html" - } ] + } ], + "headers": [ { + "source": "**", + "headers": [ { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + }, + { + "key": "Content-Security-Policy", + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + }, + { + "key": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains" + },{ + "key": "Permissions-Policy", + "value": "camera=self" + } ] + }] }, { "target": "prod-v1", @@ -24,7 +42,25 @@ "rewrites": [ { "source": "**", "destination": "/index.html" - } ] + } ], + "headers": [ { + "source": "**", + "headers": [ { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + }, + { + "key": "Content-Security-Policy", + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + }, + { + "key": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains" + },{ + "key": "Permissions-Policy", + "value": "camera=self" + } ] + }] }, { "target": "prod-v2", @@ -37,7 +73,25 @@ "rewrites": [ { "source": "**", "destination": "/index.html" - } ] + } ], + "headers": [ { + "source": "**", + "headers": [ { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + }, + { + "key": "Content-Security-Policy", + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + }, + { + "key": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains" + },{ + "key": "Permissions-Policy", + "value": "camera=self" + } ] + }] }, { "target": "dev", @@ -50,7 +104,25 @@ "rewrites": [ { "source": "**", "destination": "/index.html" - } ] + } ], + "headers": [ { + "source": "**", + "headers": [ { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + }, + { + "key": "Content-Security-Policy", + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + }, + { + "key": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains" + },{ + "key": "Permissions-Policy", + "value": "camera=self" + } ] + }] }, { "target": "uat", @@ -63,7 +135,25 @@ "rewrites": [ { "source": "**", "destination": "/index.html" - } ] + } ], + "headers": [ { + "source": "**", + "headers": [ { + "key": "X-Frame-Options", + "value": "SAMEORIGIN" + }, + { + "key": "Content-Security-Policy", + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + }, + { + "key": "strict-transport-security", + "value": "max-age=31536000; includeSubDomains" + },{ + "key": "Permissions-Policy", + "value": "camera=self" + } ] + }] } ] } From bb265f484a127ad8a7fdfe2c37d61c9ed6688a54 Mon Sep 17 00:00:00 2001 From: Ravi Lodhi Date: Fri, 22 Nov 2024 11:38:56 +0530 Subject: [PATCH 2/2] Fixed: Updated security policy header to allow loading scripts related to FCM (#104). --- firebase.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/firebase.json b/firebase.json index b90638e47..871c63ac9 100644 --- a/firebase.json +++ b/firebase.json @@ -20,7 +20,7 @@ }, { "key": "Content-Security-Policy", - "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com https://www.gstatic.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *;connect-src 'self' *" }, { "key": "strict-transport-security", @@ -51,7 +51,7 @@ }, { "key": "Content-Security-Policy", - "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com https://www.gstatic.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *;connect-src 'self' *" }, { "key": "strict-transport-security", @@ -82,7 +82,7 @@ }, { "key": "Content-Security-Policy", - "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com https://www.gstatic.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *;connect-src 'self' *" }, { "key": "strict-transport-security", @@ -113,7 +113,7 @@ }, { "key": "Content-Security-Policy", - "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com https://www.gstatic.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *;connect-src 'self' *" }, { "key": "strict-transport-security", @@ -144,7 +144,7 @@ }, { "key": "Content-Security-Policy", - "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *" + "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com https://www.gstatic.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *;connect-src 'self' *" }, { "key": "strict-transport-security",