feat: add CSP and recommended security headers to site

- update cache ages for different types of assets - assets 6 months, CDN 1 year - js/css that is hashed per build, 1 year - webmanifest/ico 7 days, CDN 14 days - CLI auto-inlined SVG in root dir 1 year Relates to angular/angular#37631
DevIntent · Jan 29, 2021 · 4712479 · 4712479
1 parent 4c71715
commit 4712479
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 8 deletions.
diff --git a/firebase.json b/firebase.json
@@ -8,13 +8,79 @@
         "destination": "/index.html"
       }
     ],
-    "headers": [{
-      "source" : "/assets/versions.json",
-      "headers" : [{
-        "key" : "Access-Control-Allow-Origin",
-        "value" : "*"
-      }]
-    }],
+    "headers": [
+      {
+        "source": "/assets/versions.json",
+        "headers": [
+          {
+            "key": "Access-Control-Allow-Origin",
+            "value": "*"
+          }
+        ]
+      },
+      {
+        "source": "/**(*.@(css|js|json|html|svg))",
+        "headers": [
+          {
+            "key": "X-Content-Type-Options",
+            "value": "nosniff"
+          }
+        ]
+      },
+      {
+        "source": "/**",
+        "headers": [
+          {
+            "key": "X-XSS-Protection",
+            "value": "1"
+          },
+          {
+            "key": "X-Frame-Options",
+            "value": "DENY"
+          },
+          {
+            "key": "Content-Security-Policy",
+            "value": "upgrade-insecure-requests; default-src 'self'; font-src 'self' https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src *; frame-src https://www.youtube.com; media-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; child-src 'self' blob:; connect-src 'self' https://www.google-analytics.com https://stats.g.doubleclick.net https://api.github.com;"
+          }
+        ]
+      },
+      {
+        "source": "/assets/**",
+        "headers": [
+          {
+            "key": "Cache-Control",
+            "value": "public, max-age=15811200, s-maxage=31536000"
+          }
+        ]
+      },
+      {
+        "source": "/*.svg",
+        "headers": [
+          {
+            "key": "Cache-Control",
+            "value": "public, max-age=31536000"
+          }
+        ]
+      },
+      {
+        "source": "/*.@(webmanifest|ico)",
+        "headers": [
+          {
+            "key": "Cache-Control",
+            "value": "public, max-age=604800, s-maxage=1209600"
+          }
+        ]
+      },
+      {
+        "source": "/*.@(js|css)",
+        "headers": [
+          {
+            "key": "Cache-Control",
+            "value": "public, max-age=31536000"
+          }
+        ]
+      }
+    ],
     "ignore": [
       "firebase.json",
       "**/node_modules/**",

diff --git a/tools/audit-docs.js b/tools/audit-docs.js
@@ -32,7 +32,7 @@ const MIN_SCORES_PER_PAGE = [
     url: '',
     minScores: {
       'pwa': 70,
-      'performance': 21,
+      'performance': 30,
       'seo': 98,
       'best-practices': 100,
       'accessibility': 100