🛡️ Sentinel: [HIGH] Add security headers to firebase.json

Added strict security headers to `firebase.json` for Firebase Hosting. Headers included: - X-Content-Type-Options: nosniff - X-Frame-Options: DENY - Referrer-Policy: strict-origin-when-cross-origin - Content-Security-Policy: Includes directives for 'self', Google Fonts, EmailJS, and disallows object/frame embedding. Also initialized `.jules/sentinel.md` with the first security learning.
2026-01-25 01:35:53 +00:00
parent 949d5ab8b9
commit 5f7f422167
2 changed files with 27 additions and 0 deletions
--- a/firebase.json
+++ b/firebase.json
@@ -11,6 +11,29 @@
        "source": "**",
        "destination": "/index.html"
      }
+    ],
+    "headers": [
+      {
+        "source": "**",
+        "headers": [
+          {
+            "key": "X-Content-Type-Options",
+            "value": "nosniff"
+          },
+          {
+            "key": "X-Frame-Options",
+            "value": "DENY"
+          },
+          {
+            "key": "Referrer-Policy",
+            "value": "strict-origin-when-cross-origin"
+          },
+          {
+            "key": "Content-Security-Policy",
+            "value": "default-src 'self'; script-src 'self' 'unsafe-inline' https://api.emailjs.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self' https://api.emailjs.com; object-src 'none'; base-uri 'self'; frame-ancestors 'none';"
+          }
+        ]
+      }
    ]
  }
 }