From 1afa2f3cd877d9bcc66067aa241e8f557c1d5632 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 28 Jan 2026 01:56:37 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Ad?=
 =?UTF-8?q?d=20HSTS=20and=20Permissions-Policy=20headers?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added Strict-Transport-Security (HSTS) and Permissions-Policy headers to firebase.json to improve security posture.

- HSTS ensures browsers only connect via HTTPS for 1 year.
- Permissions-Policy restricts usage of sensitive features (camera, mic, geolocation).

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
---
 firebase.json | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/firebase.json b/firebase.json
index 50e9a41..1fc4858 100644
--- a/firebase.json
+++ b/firebase.json
@@ -24,6 +24,14 @@
             "key": "X-Frame-Options",
             "value": "DENY"
           },
+          {
+            "key": "Strict-Transport-Security",
+            "value": "max-age=31536000; includeSubDomains"
+          },
+          {
+            "key": "Permissions-Policy",
+            "value": "camera=(), microphone=(), geolocation=()"
+          },
           {
             "key": "Referrer-Policy",
             "value": "strict-origin-when-cross-origin"