ragusa-it/ragusaitweb
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

🛡️ Sentinel: [HIGH] Add security headers to firebase.json

Browse Source 
Added strict security headers to `firebase.json` for Firebase Hosting.
Headers included:
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Referrer-Policy: strict-origin-when-cross-origin
- Content-Security-Policy: Includes directives for 'self', Google Fonts, EmailJS, and disallows object/frame embedding.

Also initialized `.jules/sentinel.md` with the first security learning.
This commit is contained in:
google-labs-jules[bot]
2026-01-25 01:35:53 +00:00
parent 949d5ab8b9
commit 5f7f422167
2 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.jules/sentinel.md Normal file
View File

@@ -0,0 +1,4 @@
## 2025-02-12 - Missing Security Headers in Firebase Config
**Vulnerability:** The application is served without standard security headers (CSP, X-Frame-Options, etc.), leaving it vulnerable to XSS, Clickjacking, and MIME sniffing.
**Learning:** Single Page Applications (SPAs) served via static hosting (like Firebase) rely on infrastructure configuration for security headers, which are often overlooked. Default configurations are rarely secure enough.
**Prevention:** Always configure `firebase.json` (or equivalent) with strict security headers (CSP, X-Frame-Options, HSTS, etc.) at project setup.