ragusa-it/ragusaitweb
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Merge pull request #20 from ragusa-it/sentinel-security-headers-5394727340569705425

Browse Source 
🛡️ Sentinel: Add Security Headers to Firebase Config
This commit was merged in pull request #20.
This commit is contained in:
Melvin Ragusa
2026-01-25 15:15:39 +01:00
committed by GitHub
parent 949d5ab8b9 5f7f422167
commit 2503e71dc5
2 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.jules/sentinel.md Normal file
View File

@@ -0,0 +1,4 @@
## 2025-02-12 - Missing Security Headers in Firebase Config
**Vulnerability:** The application is served without standard security headers (CSP, X-Frame-Options, etc.), leaving it vulnerable to XSS, Clickjacking, and MIME sniffing.
**Learning:** Single Page Applications (SPAs) served via static hosting (like Firebase) rely on infrastructure configuration for security headers, which are often overlooked. Default configurations are rarely secure enough.
**Prevention:** Always configure `firebase.json` (or equivalent) with strict security headers (CSP, X-Frame-Options, HSTS, etc.) at project setup.

23
firebase.json
View File

@@ -11,6 +11,29 @@
"source": "**",
"destination": "/index.html"
}
],
"headers": [
{
"source": "**",
"headers": [
{
"key": "X-Content-Type-Options",
"value": "nosniff"
},
{
"key": "X-Frame-Options",
"value": "DENY"
},
{
"key": "Referrer-Policy",
"value": "strict-origin-when-cross-origin"
},
{
"key": "Content-Security-Policy",
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' https://api.emailjs.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self' https://api.emailjs.com; object-src 'none'; base-uri 'self'; frame-ancestors 'none';"
}
]
}
]
}
}