Security Best Practices

Secure your Firebase Hosting deployment with these essential practices.

Security Headers

{
  "hosting": {
    "headers": [{
      "source": "**",
      "headers": [
        {
          "key": "X-Frame-Options",
          "value": "SAMEORIGIN"
        },
        {
          "key": "X-Content-Type-Options",
          "value": "nosniff"
        },
        {
          "key": "Referrer-Policy",
          "value": "strict-origin-when-cross-origin"
        },
        {
          "key": "Permissions-Policy",
          "value": "camera=(), microphone=(), geolocation=()"
        }
      ]
    }]
  }
}

Content Security Policy

{
  "headers": [{
    "key": "Content-Security-Policy",
    "value": "default-src 'self'; script-src 'self' 'unsafe-inline' https://apis.google.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;"
  }]
}

Coming Soon

This documentation is being expanded. For now, please refer to:

• Configuration Guide for headers setup
• OWASP Security Headers