I have seen similar questions but nothing that answers this exactly. So I have an application being hosted by Firebase. I recently ran some penetration tests on it and realized I need to add some security headers to the website.
Specifically: X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options. The problem is I really do not know how to do that. Having given it a bit of research I can see that the way to add headers to my firebase application is to add them to my firebase.json file which I will show here:
{
"hosting": {
"site": "xxxxxxxxxxxxxxxxx",
"public": "dist/xxxxxxxxxxxx",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"headers" : [ {
"source": "**",
"headers" : [{
"key" : "Access-Control-Allow-Origin",
"value" : "*"
}]
}],
"rewrites": [
{
"source": "**",
"destination": "/index.html"
}
]
}
}
Do I need to add them to the "headers" section of that?
Sorry for the ignorance but any help is appreciated.
Almost complete Firebase Security Headers
Just create your Content-Security-Policy, i´ve used report-uri.com
"headers": [
{
"source": "**",
"headers": [
{
"key": "Content-Security-Policy",
"value": "default-src 'none'; script-src 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' https://www.google.com https://www.google.ad https://www.google.ae https://www.google.com.af https://www.google.com.ag https://www.google.com.ai https://www.google.al https://www.google.am https://www.google.co.ao https://www.google.com.ar https://www.google.as https://www.google.at https://www.google.com.au https://www.google.az https://www.google.ba https://www.google.com.bd https://www.google.be https://www.google.bf https://www.google.bg https://www.google.com.bh https://www.google.bi https://www.google.bj https://www.google.com.bn https://www.google.com.bo https://www.google.com.br https://www.google.bs https://www.google.bt https://www.google.co.bw https://www.google.by https://www.google.com.bz https://www.google.ca https://www.google.cd https://www.google.cf https://www.google.cg https://www.google.ch https://www.google.ci https://www.google.co.ck https://www.google.cl https://www.google.cm https://www.google.cn https://www.google.com.co https://www.google.co.cr https://www.google.com.cu https://www.google.cv https://www.google.com.cy https://www.google.cz https://www.google.de https://www.google.dj https://www.google.dk https://www.google.dm https://www.google.com.do https://www.google.dz https://www.google.com.ec https://www.google.ee https://www.google.com.eg https://www.google.es https://www.google.com.et https://www.google.fi https://www.google.com.fj https://www.google.fm https://www.google.fr https://www.google.ga https://www.google.ge https://www.google.gg https://www.google.com.gh https://www.google.com.gi https://www.google.gl https://www.google.gm https://www.google.gr https://www.google.com.gt https://www.google.gy https://www.google.com.hk https://www.google.hn https://www.google.hr https://www.google.ht https://www.google.hu https://www.google.co.id https://www.google.ie https://www.google.co.il https://www.google.im https://www.google.co.in https://www.google.iq https://www.google.is https://www.google.it https://www.google.je https://www.google.com.jm https://www.google.jo https://www.google.co.jp https://www.google.co.ke https://www.google.com.kh https://www.google.ki https://www.google.kg https://www.google.co.kr https://www.google.com.kw https://www.google.kz https://www.google.la https://www.google.com.lb https://www.google.li https://www.google.lk https://www.google.co.ls https://www.google.lt https://www.google.lu https://www.google.lv https://www.google.com.ly https://www.google.co.ma https://www.google.md https://www.google.me https://www.google.mg https://www.google.mk https://www.google.ml https://www.google.com.mm https://www.google.mn https://www.google.ms https://www.google.com.mt https://www.google.mu https://www.google.mv https://www.google.mw https://www.google.com.mx https://www.google.com.my https://www.google.co.mz https://www.google.com.na https://www.google.com.ng https://www.google.com.ni https://www.google.ne https://www.google.nl https://www.google.no https://www.google.com.np https://www.google.nr https://www.google.nu https://www.google.co.nz https://www.google.com.om https://www.google.com.pa https://www.google.com.pe https://www.google.com.pg https://www.google.com.ph https://www.google.com.pk https://www.google.pl https://www.google.pn https://www.google.com.pr https://www.google.ps https://www.google.pt https://www.google.com.py https://www.google.com.qa https://www.google.ro https://www.google.ru https://www.google.rw https://www.google.com.sa https://www.google.com.sb https://www.google.sc https://www.google.se https://www.google.com.sg https://www.google.sh https://www.google.si https://www.google.sk https://www.google.com.sl https://www.google.sn https://www.google.so https://www.google.sm https://www.google.sr https://www.google.st https://www.google.com.sv https://www.google.td https://www.google.tg https://www.google.co.th https://www.google.com.tj https://www.google.tl https://www.google.tm https://www.google.tn https://www.google.to https://www.google.com.tr https://www.google.tt https://www.google.com.tw https://www.google.co.tz https://www.google.com.ua https://www.google.co.ug https://www.google.co.uk https://www.google.com.uy https://www.google.co.uz https://www.google.com.vc https://www.google.co.ve https://www.google.vg https://www.google.co.vi https://www.google.com.vn https://www.google.vu https://www.google.ws https://www.google.rs https://www.google.co.za https://www.google.co.zm https://www.google.co.zw https://www.google.cat https://www.gstatic.com/images/ https://www.googletagmanager.com/; manifest-src 'self'; media-src 'self'; report-uri https://YOURKEY.report-uri.com/r/d/csp/reportOnly; report-to https://YOURKEY.report-uri.com/b/g/h; worker-src 'self'; form-action 'self'; frame-ancestors 'self';"
},
{
"key": "Cache-Control",
"value": "public, max-age=31536000"
},
{ "key": "X-Content-Type-Options", "value": "nosniff" },
{
"key": "X-Frame-Options",
"value": "DENY"
},
{ "key": "X-XSS-Protection", "value": "1; mode=block" },
{ "key": "Referrer-Policy", "value": "no-referrer" },
{ "key": "Feature-Policy", "value": "microphone 'self'" },
{
"key": "Expect-CT",
"value": "max-age=86400, report-uri='https://YOURKEY.report-uri.com/b/g/h'"
},
{
"key": "Report-To",
"value": "'group':'default', 'max_age':31536000, 'endpoints':[{'url':'https://YOURKEY.report-uri.com/b/g/h'}],'include_subdomains':true'"
}
]
"headers" : [ {
"source": "**",
"headers" : [
{ "key" : "Access-Control-Allow-Origin", "value" : "*" },
{ "key" : "X-Frame-Options", "value" : "deny" },
{ "key" : "X-Content-Type-Options", "value" : "nosniff" },
{ "key" : "X-XSS-Protection", "value" : "1; mode=block" }
]
}],
This seemed to work perfectly well.
Related
I am developing an MV3 chrome extension that uses a sqlite3 database but I am getting an error "
'content_security_policy.extension_pages': Insecure CSP value "'unsafe-eval'" in directive 'script-src'.
Could not load manifest." when I try and add it to my chrome browser.
My manifest.json is as follows:
{
"manifest_version": 3,
"name": "Some name",
"version": "1.0",
"description": "Some description",
"icons": {
"16": "icons/icon1.png",
"32": "icons/icon2.png",
"48": "icons/icon3.png",
"128": "icons/icon4.png"
},
"action": {
"default_popup": "search.html",
"default_icon": "icons/icon4.png"
},
"background": {
"service_worker": "background.js"
},
"web_accessible_resources": [
{
"matches": ["<all_urls>"],
"resources": ["sqlite3.wasm"]
}
],
"content_security_policy": {
"extension_pages": "script-src 'self' 'unsafe-eval'; object-src 'self'; worker-src blob: 'self';"
},
"host_permissions": [
"activeTab",
"storage"
]
}
Note: sqlite3.wasm exists at in the same dir as the manifest file.
Any advice appreciated!
The issue seems to be specific to MV3.
I'm have been working on a CSP for my Firebase hosted website, a large number of request are block by the CSP because GTM (Google Tag Manager) is in inline script.
I'm using Firebase Analytics, which is the reason for GTM being injected into the page.
I have read that I can use a nonce [1], which in most cases is an non issue to implement.
How would this be implemented using Firebase hosting? - From my research Firebase hosting headers can't be modified after deployment.
1: https://developers.google.com/tag-manager/web/csp
Yes you can, you should have a firebase.json file in root of project folder, you can change your headers in it, check my file:
{
"hosting": {
"public": "dist/browser",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"rewrites": [
{
"source": "**",
"destination": "/index.html"
}
],
"headers": [
{
"source": "**/*.#(jpg|jpeg|gif|png|webp|eot|otf|ttf|ttc|woff)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=7200"
}
]
},
{
"source": "**/*.#(html|js|css)",
"headers": [
{
"key": "Cache-Control",
"value": "no-cache, no-store, must-revalidate"
}
]
},
{
"source": "**",
"headers": [
{
"key": "X-Frame-Options",
"value": "SAMEORIGIN"
}
]
},
{
"source": "**",
"headers": [
{
"key": "X-Content-Type-Options",
"value": "nosniff"
}
]
},
{
"source": "**",
"headers": [
{
"key": "Referrer-Policy",
"value": "strict-origin"
}
]
},
{
"source": "**",
"headers": [
{
"key": "Permissions-Policy",
"value": "geolocation=(), microphone=(), gyroscope=()"
}
]
}
]
}
}
Unfortunately i was obligated to remove my csp from it...
I have an ionic 4 app hosted on firebase and when I push an update, my users have to clear their cache to load the newest version of the app.
I've searched around a bit and modified my firebase.json to reflect the following:
{
"hosting": {
"public": "www",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"headers": [
{ "source":"/service-worker.js", "headers": [{"key": "Cache-Control", "value": "no-cache"}] }
],
"rewrites": [
{
"source": "**",
"destination": "/index.html"
}
]
}
}
I thought this worked, but today I pushed an update and it required me to clear my cache. Does anyone have other ideas on how to force an update?
Try changing this
"headers": [{"key": "Cache-Control", "value": "no-cache"}]
to this
"headers": [{"key": "Cache-Control", "value": "no-cache, no-store, must-revalidate"]
Or this
"headers": [{"key": "Cache-Control", "value": "public, max-age=0"}]
Also, you are setting the rule for "source" : "/service-worker.js", is that what you want?
I think you want this :
"headers": [
{
"source": "/**",
"headers": [
{
"key": "Cache-Control",
"value": "no-cache, no-store, must-revalidate"
}
]
}]
See what they do in this answer
This could reduce performances for the users
If you set 2 headers rules on Firebase Hosting firebase.json file as a generic rule and a more specific rule, in a way that some paths will match both of them, how does Firebase Hosting behave in that situation? Does it override and merge the header values in order of the array?
For example:
firebase.json
"headers": [
{
"source": "/**",
"headers": [
{ "key": "Cache-Control", "value": "max-age=3600" },
{ "key": "Vary", "value": "User-Agent" }
]
},
{
"source": "/api/**",
"headers": [
{ "key": "Cache-Control", "value": "no-cache" },
{ "key": "Access-Control-Allow-Origin", "value": "https://www.example.com" }
]
}
]
Can I assume the /api/** calls will get the overwrite / merge result from the two set of header rules in that order? I mean, the order is important here, right?
The result for /api would be:
Cache-Control: no-cache
Vary: User-Agent
Access-Control-Allow-Origin: https://www.example.com
I've just test and here are the results:
It will overwrite and merge the headers in the order that they appear.
For example:
"headers": [
{
"source": "/**",
"headers": [
{ "key": "Cache-Control", "value": "max-age=3600" },
{ "key": "Vary", "value": "User-Agent" }
]
},
{
"source": "/api/**",
"headers": [
{ "key": "Cache-Control", "value": "no-cache" },
{ "key": "Access-Control-Allow-Origin", "value": "https://www.example.com" }
]
}
]
From the code above, for an /api/something call, it would return the following:
Cache-Control: no-cache
Vary: User-Agent
Acess-Control-Allow-Origin: https://www.example.com
I deploy a static site on firebase hosting with some header configuarations.
But I some of my headers doesn't appear after the site deployed.
I tried change the value of Cache-Control header and it works.
But X-Frame-Options,Content-Security-Policy,X-Content-Type-Options doesn't.
firebase.json:
{
"hosting": {
"public": "public",
"ignore": ["firebase.json", "**/.*", "**/node_modules/**"],
"headers": [
{
"source": "**/*.#(html)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=3600"
},
{
"key": "X-Frame-Options",
"value": "SAMEORIGIN"
},
{
"key": "Content-Security-Policy",
"value":
"script-src 'self' 'unsafe-inline' cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com"
}
]
},
{
"source": "**/*.#(jpg|jpeg|gif|png|ico|svg)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=2592000"
}
]
},
{
"source": "**/*.#(js|css)",
"headers": [
{
"key": "Cache-Control",
"value": "max-age=2592000"
}
]
},
{
"source": "**/*",
"headers": [
{
"key": "X-Content-Type-Options",
"value": "nosniff"
}
]
}
]
}
}
Actual response header I get:
After deploy, make sure to clear your browser's cache or use incognito mode. That's what happened to me, my custom headers were not showing because Chrome cached previously deployed version