1afa2f3cd8
Added Strict-Transport-Security (HSTS) and Permissions-Policy headers to firebase.json to improve security posture. - HSTS ensures browsers only connect via HTTPS for 1 year. - Permissions-Policy restricts usage of sensitive features (camera, mic, geolocation). Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>
48 lines
1.3 KiB
JSON
48 lines
1.3 KiB
JSON
{
|
|
"hosting": {
|
|
"public": "build",
|
|
"ignore": [
|
|
"firebase.json",
|
|
"**/.*",
|
|
"**/node_modules/**"
|
|
],
|
|
"rewrites": [
|
|
{
|
|
"source": "**",
|
|
"destination": "/index.html"
|
|
}
|
|
],
|
|
"headers": [
|
|
{
|
|
"source": "**",
|
|
"headers": [
|
|
{
|
|
"key": "X-Content-Type-Options",
|
|
"value": "nosniff"
|
|
},
|
|
{
|
|
"key": "X-Frame-Options",
|
|
"value": "DENY"
|
|
},
|
|
{
|
|
"key": "Strict-Transport-Security",
|
|
"value": "max-age=31536000; includeSubDomains"
|
|
},
|
|
{
|
|
"key": "Permissions-Policy",
|
|
"value": "camera=(), microphone=(), geolocation=()"
|
|
},
|
|
{
|
|
"key": "Referrer-Policy",
|
|
"value": "strict-origin-when-cross-origin"
|
|
},
|
|
{
|
|
"key": "Content-Security-Policy",
|
|
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' https://api.emailjs.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self' https://api.emailjs.com; object-src 'none'; base-uri 'self'; frame-ancestors 'none';"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|