super duper secure http headers. maybe excessively so.... ¯\_(ツ)_/¯

2025-07-23 02:21:16 -04:00 · 2018-04-26 11:44:12 -04:00
parent 6714709c2a
commit 3558c4b0cd
1 changed files with 16 additions and 2 deletions
--- a/firebase.json
+++ b/firebase.json
@@ -4,9 +4,11 @@
    "ignore": [
      "firebase.json",
      "package.json",
+      "package-lock.json",
      "Gruntfile.js",
      "README.md",
-      "**/.DS_Store",
+      "**/.*",
+      "**/.git/**",
      "**/node_modules/**",
      "**/bower_components/**"
    ],
@@ -20,7 +22,7 @@
          },
          {
            "key": "X-XSS-Protection",
-            "value": "1; mode=block"
+            "value": "1; mode=block; report=https://jakejarvis.report-uri.com/r/d/xss/enforce"
          },
          {
            "key": "X-Frame-Options",
@@ -29,6 +31,18 @@
          {
            "key": "X-DNS-Prefetch-Control",
            "value": "off"
+          },
+          {
+            "key": "Referrer-Policy",
+            "value": "no-referrer-when-downgrade"
+          },
+          {
+            "key": "Content-Security-Policy",
+            "value": "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://ssl.google-analytics.com https://ajax.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; frame-src 'self' https://www.youtube.com https://drive.google.com https://www.scribd.com; connect-src 'self' https://jakejarvis.report-uri.com; report-uri https://jakejarvis.report-uri.com/r/d/csp/enforce;"
+          },
+          {
+            "key": "Expect-CT",
+            "value": "max-age=0, report-uri=https://jakejarvis.report-uri.com/r/d/ct/reportOnly"
          }
        ]
      },