13

I deploy a static site on firebase hosting with some header configuarations. But I some of my headers doesn't appear after the site deployed.

I tried change the value of Cache-Control header and it works. But X-Frame-Options,Content-Security-Policy,X-Content-Type-Options doesn't.

firebase.json:

{
    "hosting": {
        "public": "public",
        "ignore": ["firebase.json", "**/.*", "**/node_modules/**"],
        "headers": [
            {
                "source": "**/*.@(html)",
                "headers": [
                    {
                        "key": "Cache-Control",
                        "value": "max-age=3600"
                    },
                        {
                        "key": "X-Frame-Options",
                        "value": "SAMEORIGIN"
                    },
                    {
                        "key": "Content-Security-Policy",
                        "value":
                            "script-src 'self' 'unsafe-inline' cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com"
                    }
                ]
            },
            {
                "source": "**/*.@(jpg|jpeg|gif|png|ico|svg)",
                "headers": [
                    {
                        "key": "Cache-Control",
                        "value": "max-age=2592000"
                    }
                ]
            },
            {
                "source": "**/*.@(js|css)",
                "headers": [
                    {
                        "key": "Cache-Control",
                        "value": "max-age=2592000"
                    }
                ]
            },
            {
                "source": "**/*",
                "headers": [
                    {
                        "key": "X-Content-Type-Options",
                        "value": "nosniff"
                    }
                ]
            }
        ]
    }
}

Actual response header I get:

actual response header

3142 maple
  • 865
  • 2
  • 11
  • 27
  • Does the current request in your example end in `.html`? Also note that CSP headers are [not configurable](https://firebase.google.com/docs/hosting/url-redirects-rewrites#section-headers) on Firebase Hosting. – abraham Apr 09 '18 at 16:40
  • I am having the same issue, one year later. I am not even able to change `Cache-Control`, though. I would like to set that and `Access-Control-Allow-Origin`. I am doing exactly what they say on [the docs](https://firebase.google.com/docs/hosting/full-config) (well, except for the JavaScript comments in a `.json` file, that does not look right). – damix911 Apr 12 '19 at 15:19
  • 2
    Same here, it's 2020 and I have the same issues. I can't change any of the headers. They are not mentioning anything about it in the documentation.. – Shibumi May 24 '20 at 02:54
  • 1
    Did you find any solution? – Przemo May 15 '21 at 10:12
  • No solutions so far? – Anshuman Srivastava Jan 31 '22 at 08:29
  • Still facing the same problem – lyzz Feb 04 '23 at 09:53

1 Answers1

0

After deploy, make sure to clear your browser's cache or use incognito mode. That's what happened to me, my custom headers were not showing because Chrome cached previously deployed version

Vlad Soroka
  • 245
  • 1
  • 13