HSTS (Strict-Transport-Security) Support for "includeSubdomains" value

284 views
Skip to first unread message

Ryan Watkins

unread,
Oct 10, 2018, 11:37:49 PM10/10/18
to Firebase Google Group
I've been tasked with ensuring we have the following header set in our HTTP responses coming from firebase:

Strict-Transport-Security: max-age:31536000; includeSubDomains

Is it possible to add the "includeSubdomains" header value to the Strict-Transport-Security response header in Firebase.  I see the documentation says it isn't possible to specify this header in the header configuration section of a firebase.json configuration file?

The (I assume default) value I am currently seeing in our HTTP responses is the following:

Strict-Transport-Security: max-age: 31556926

Thanks in advance for your time!

Michael Bleigh

unread,
Oct 11, 2018, 1:44:56 AM10/11/18
to Firebase Google Group
Our docs may be out of date here -- try adding it as a custom header and let me know if it's not working.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/71e4c6bf-0c19-4a9a-9870-a1b8984a41da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ryan Watkins

unread,
Oct 11, 2018, 9:43:16 PM10/11/18
to Firebase Google Group
Thanks for the response Michael! I went ahead and added the Strict-Transport-Security header to our firebase.json file, but it failed to deploy.   I received an error message along these lines:

Error: HTTP Error: 400, hosting.headers[0].headers[3].key does not match allOf schema [subschema 2] with 1 error[s]:
Exited with code 1

My guess is that it still doesn't support the configuration of this header.

Michael Bleigh

unread,
Oct 11, 2018, 11:02:04 PM10/11/18
to Firebase Google Group
What CLI version are you using? It might need an update.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/0d6164f2-9996-466a-b20c-e9c1f4bc2842%40googlegroups.com.

Ryan Watkins

unread,
Oct 12, 2018, 5:36:17 PM10/12/18
to Firebase Google Group
It looks like we are using firebase-tools 4.0.0

Michael Bleigh

unread,
Oct 12, 2018, 5:45:28 PM10/12/18
to Firebase Google Group
I'd update to the latest (5.0.1)

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/56517980-90a5-465a-9f19-88029da74ddf%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages