No security headers in Firebase Hosting — firebase.json

[krishnnag998-del]

description

Here is the simple, easy-to-understand breakdown of what I changed:

I updated exactly two files to act as a "shield" for your website:

1. firebase.json (For your Live Website)
   I added a new section that tells Firebase to attach security instructions (called "headers") to every single page it sends
   to your users.

• What it means: When a user visits your live site, their browser receives these instructions and knows exactly how to
block hackers from tampering with the page.
2. vite.config.ts (For your Local Testing)
I added those exact same security instructions to your local development server (the one you use when you run npm run dev
).
• What it means: This ensures that when you are building and testing the app on your own computer, it behaves exactly the
same way it will on the live website. I also added plain-English comments next to each rule here so you can easily remember
what they do.

What do these new rules actually do?

Think of these headers as a strict set of rules for the user's web browser:

• No Fake Buttons: It stops hackers from putting an invisible layer over your website to trick users into clicking things
they shouldn't (Clickjacking).
• No Sneaky Files: It forces the browser to only read files exactly as they are meant to be read, stopping hackers from
disguising a virus as a normal text file.
• Stop Bad Scripts: It tells the browser to immediately block the page if it catches a hacker trying to run malicious code
(XSS).
• Protect Privacy: It stops your website from accidentally leaking private info (like secret web addresses) when a user
clicks a link to leave your site.
• Approved List (CSP): It gives the browser a strict "VIP Guest List" of where it's allowed to download images, fonts, and
data from. If a hacker tries to sneak in a file from an unapproved source, the browser throws it in the trash.
closes #208

Summary by CodeRabbit

• Security Improvements
  • Added stronger security headers across served pages and local development responses, helping protect against common browser-based attacks.
  • Included protections for content type sniffing, clickjacking, XSS risks, referrer leakage, and restricted content loading.

[vercel]

@krishnnag998-del is attempting to deploy a commit to the hrx01-dev's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

Security response headers were added to Firebase Hosting and the Vite dev server. Both configs now set nosniff, frame blocking, XSS protection, a referrer policy, and a Content-Security-Policy.

Changes

Security headers configuration

Layer / File(s)	Summary
Firebase Hosting headers firebase.json	A wildcard hosting header rule applies security headers to all routes before the existing /index.html and asset caching rules.
Vite dev server headers vite.config.ts	The dev server response headers add the matching security header set, including a CSP string and the other browser protections.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• hrx01-dev/Servio#140: Updates firebase.json Hosting headers rules for Cache-Control on /index.html and static assets.

Poem

I hopped through headers, neat and fine,
With nosniff ears and CSP twine.
No frame could trap my carrot cheer,
The dev server guards my bunny rear.
Hop hop! 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding security headers to Firebase Hosting.
Linked Issues check	✅ Passed	The Firebase Hosting config adds the requested headers, including X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, and CSP.
Out of Scope Changes check	✅ Passed	The Vite dev-server headers align with the stated goal of matching hosting behavior, so no unrelated changes are evident.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@firebase.json`:
- Line 41: The Firebase Hosting CSP is too permissive in the header
configuration. In the firebase.json security header value, remove the unused
`unsafe-eval` and `ws:` allowances while keeping the inline script/style
allowances needed by `index.html`. If you tighten further, update the
`window.__SERVIO_FP__` inline snippet to use a nonce/hash or move it into the
bundle, and keep the change localized to the CSP header entry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2917cc35-e374-40ab-8da5-dcf738a7b81e

📥 Commits

Reviewing files that changed from the base of the PR and between 33999fc and 4bc0c90.

📒 Files selected for processing (2)

• firebase.json
• vite.config.ts

[coderabbitai]

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether production code truly needs eval-like APIs or direct WebSocket endpoints.
rg -n -C2 '\beval\s*\(|new Function\s*\(|WebSocket\s*\(|ws://|wss://' --glob '!dist/**' --glob '!node_modules/**'
rg -n -C2 '<script(?![^>]*\bsrc=)|<style' index.html

Repository: hrx01-dev/Servio

Length of output: 154

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the Firebase Hosting headers and the app entry HTML.
sed -n '1,120p' firebase.json
printf '\n--- index.html ---\n'
sed -n '1,220p' index.html

printf '\n--- search for websocket/eval-like usage ---\n'
rg -n -C2 '\beval\s*\(|new Function\s*\(|WebSocket\s*\(|ws://|wss://' . --glob '!dist/**' --glob '!node_modules/**' --glob '!build/**'

printf '\n--- search for inline script/style in HTML files ---\n'
rg -n -C2 '<script(?![^>]*\bsrc=)|<style' . -g '*.html'

Repository: hrx01-dev/Servio

Length of output: 4562

---

Remove the unused CSP allowances from Firebase Hosting. index.html still needs the inline script/style allowances, but nothing in the codebase uses eval-like APIs or WebSockets, so unsafe-eval and ws: can be dropped from the header. If you want to tighten it further, move the inline window.__SERVIO_FP__ snippet into the bundle or protect it with a nonce/hash first.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@firebase.json` at line 41, The Firebase Hosting CSP is too permissive in the
header configuration. In the firebase.json security header value, remove the
unused `unsafe-eval` and `ws:` allowances while keeping the inline script/style
allowances needed by `index.html`. If you tighten further, update the
`window.__SERVIO_FP__` inline snippet to use a nonce/hash or move it into the
bundle, and keep the change localized to the CSP header entry.

[hrx01-dev]

Approving this !!