HSTS support.

[Roney Thomas]

I am extremely pleased with using firebase hosting. This is really amazing. Thanks for add http2.

One thing i would really love is HSTS preloading support.

I tried to set HSTS headers and got a error saying "HTTP Error: 400, hosting.headers[1].headers[0].key is not one of enum values: Cache-Control,Access-Control-Allow-Origin,X-UA-Compatible,X-Content-Type-Options,X-Frame-Options,X-XSS-Protection,Content-Type,Link,Content-Security-Policy"

From the error it seems firebase hosting doesn't support "strict-transport-security" header.

[Michael Bleigh]

Hi Roney,

Firebase Hosting automatically adds HSTS headers to all hosted sites, but we currently don't support the preload option. This is something that we can consider making configurable in the future if we see enough customer demand.

Cheers,
Michael

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/425cb048-5a68-4ab5-b151-50b4464f37ea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Maximillian Laumeister]

Hi Michael,

Where should customers go to register their interest in HSTS preload support? Or is posting in this topic enough?

Thanks!

-Max

[Anders Sandvik]

Where should customers go to register their interest in HSTS preload support?

[Michael Bleigh]

You just did ;)

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/95867fd4-03d9-4093-9781-b200e46f7c8c%40googlegroups.com.

[Shifaat Iqbal]

Hi Michael,

Any updates on this?

[Michael Bleigh]

No update as yet. Your interest is registered, though!

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/a41870f5-0edb-4061-89d2-e31d940fb1b6%40googlegroups.com.

[Abraham Williams]

HSTS Preloading is a feature that I'm also interested in.

- Abraham

[Reinaert Van de Cruys]

I'm also interested in having an HSTS preload option.

[M]

I'd argue that everyone using Firebase Hosting should enable preloading. The only reason you'd want not to do it is if you later on decided to no longer use Firebase Hosting and wanted to serve insecure connections.

So yeah, +1 for the option.

[David Murdoch]

also interested!

[Rory]

I'm interested

[Steve Simpson]

I'm also interested in HSTS preload support :-)

[Derek Held]

I too would like to see HSTS preloading supported.

[Natan Sągol]

Hello, is this feature anywhere on the roadmap?

[Alexis Vapillon]

I'm also interested

This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited. E-mail messages are not necessarily secure. Archos does not accept responsibility for any changes made to this message after it was sent.

[Pierre De Wilde]

It would be great to preload our Firebase Hosting apps in HSTS preload list.

[Michael Bleigh]

Hi Pierre,

Websites are added to HSTS preload on an individual basis. There's nothing stopping you from supplying custom HSTS headers in your firebase.json config and adding your site's custom domain. Is there a specific problem you've run into trying to do so?

-Michael

On Sun, Dec 22, 2019 at 5:54 PM Pierre De Wilde <pierre...@gmail.com> wrote:

It would be great to preload our Firebase Hosting apps in HSTS preload list.

--

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/6bffce9b-a387-4ce4-8e76-c2df79a7509e%40googlegroups.com.

[Abraham Williams]

According to https://firebase.google.com/docs/hosting/full-config developers can not set a custom HSTS header.

> Important: Firebase Hosting overwrites the Strict-Transport-Security configuration

Abraham Williams

--

abrah.am | @abraham | Bendyworks

GDE | GDG Madison | DevFest WI

You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/S6XDEV6TVhk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CANPY8KUw5%2BnDAJqGV7v6HGaduHxDrAfW1C1a9-hTAHa12CvSZA%40mail.gmail.com.

[Michael Bleigh]

Only on the firebaseapp.com and web.app domains iirc. On a custom domain you can specify it. We may need to update docs 🙂

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAMJTcaBP-z6b2T9tfXPY5auEwTDn%2BQuH7fEqN4mPODgYGeTYcw%40mail.gmail.com.

[Abraham Williams]

Nice! My defined CSP is applying to my custom domains.

Abraham Williams

--

abrah.am | @abraham | Bendyworks

GDE | GDG Madison | DevFest WI

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CANPY8KUxi_qprqQZaksK4s_Y-Q1r3nZ1KW6BumUH-HzrNRn%2BNQ%40mail.gmail.com.