From 963feceecb2a08f96aa4a20fe2e9f02f7ce0a8ca Mon Sep 17 00:00:00 2001
From: Ravi Lodhi <ravi.lodhi@hotwaxsystems.com>
Date: Mon, 29 Apr 2024 14:27:47 +0530
Subject: [PATCH 1/2] Improved: Added X-Frame-Options, CSP,
 strict-transport-security and Permissions-Policy headers in firebase config
 in context of soc2 compliance (#104).

---
 firebase.json | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/firebase.json b/firebase.json
index 6282c4c4..474330ef 100644
--- a/firebase.json
+++ b/firebase.json
@@ -25,8 +25,25 @@
       "rewrites": [ {
         "source": "**",
         "destination": "/index.html"
-      } ]
-
+      } ],
+      "headers": [ {
+        "source": "**",
+        "headers": [ {
+          "key": "X-Frame-Options",
+          "value": "SAMEORIGIN"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *"
+        },
+        {
+          "key": "strict-transport-security",
+          "value": "max-age=31536000; includeSubDomains"
+        },{
+          "key": "Permissions-Policy",
+          "value": "camera=self"
+        } ]
+      }]
     },
     {
       "target": "uat",

From 1304824c8a361ff61cd5486a6fb26974d7e14e58 Mon Sep 17 00:00:00 2001
From: Ravi Lodhi <ravi.lodhi@hotwaxsystems.com>
Date: Wed, 20 Nov 2024 10:45:32 +0530
Subject: [PATCH 2/2] Improved: Added security headers for the uat and prod env
 (#104).

---
 firebase.json | 41 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/firebase.json b/firebase.json
index 474330ef..b7c2d0fe 100644
--- a/firebase.json
+++ b/firebase.json
@@ -11,8 +11,25 @@
       "rewrites": [ {
         "source": "**",
         "destination": "/index.html"
-      } ]
-
+      } ],
+      "headers": [ {
+        "source": "**",
+        "headers": [ {
+          "key": "X-Frame-Options",
+          "value": "SAMEORIGIN"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *"
+        },
+        {
+          "key": "strict-transport-security",
+          "value": "max-age=31536000; includeSubDomains"
+        },{
+          "key": "Permissions-Policy",
+          "value": "camera=self"
+        } ]
+      }]
     },
     {
       "target": "dev",
@@ -56,7 +73,25 @@
       "rewrites": [ {
         "source": "**",
         "destination": "/index.html"
-      } ]
+      } ],
+      "headers": [ {
+        "source": "**",
+        "headers": [ {
+          "key": "X-Frame-Options",
+          "value": "SAMEORIGIN"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'self';font-src 'self' data: *;script-src 'self' 'unsafe-inline' 'unsafe-eval' fonts.googleapis.com;img-src 'self' 'unsafe-inline' *.shopify.com javascript: ;style-src 'self' 'unsafe-inline' *; connect-src 'self' *"
+        },
+        {
+          "key": "strict-transport-security",
+          "value": "max-age=31536000; includeSubDomains"
+        },{
+          "key": "Permissions-Policy",
+          "value": "camera=self"
+        } ]
+      }]
     }
   ]
 }