5f7f422167
Added strict security headers to `firebase.json` for Firebase Hosting. Headers included: - X-Content-Type-Options: nosniff - X-Frame-Options: DENY - Referrer-Policy: strict-origin-when-cross-origin - Content-Security-Policy: Includes directives for 'self', Google Fonts, EmailJS, and disallows object/frame embedding. Also initialized `.jules/sentinel.md` with the first security learning.
603 B
603 B
2025-02-12 - Missing Security Headers in Firebase Config
Vulnerability: The application is served without standard security headers (CSP, X-Frame-Options, etc.), leaving it vulnerable to XSS, Clickjacking, and MIME sniffing.
Learning: Single Page Applications (SPAs) served via static hosting (like Firebase) rely on infrastructure configuration for security headers, which are often overlooked. Default configurations are rarely secure enough.
Prevention: Always configure firebase.json (or equivalent) with strict security headers (CSP, X-Frame-Options, HSTS, etc.) at project setup.