Skip to content

chore: Firebase 배포 설정 개선 (#53) #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AndyH0ng merged 2 commits into from
Jan 18, 2026
Merged

chore: Firebase 배포 설정 개선 (#53) #55

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9381de4
chore: Firebase 배포 설정 개선 (#53)
AndyH0ng Jan 18, 2026
55f6606
fix: 코드 리뷰 반영 - 보안 헤더 개선 (#53)
AndyH0ng Jan 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .env.development
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# 개발 서버 (배포된 개발 환경)
VITE_API_URL=https://dev-api.ttorang.com
VITE_APP_TITLE=또랑 (개발)
18 changes: 16 additions & 2 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,20 @@
# ===========================================
# 환경변수 템플릿
# 이 파일을 복사해서 .env.local 파일을 만드세요
# ===========================================

# API
# API 서버 URL
# - 개발: https://dev-api.ttorang.com
# - 프로덕션: https://api.ttorang.com
VITE_API_URL=

# App
# 앱 타이틀
VITE_APP_TITLE=또랑

# ===========================================
# 시크릿 키 (반드시 .env.local에만 설정하세요)
# ===========================================

# 카카오 JavaScript 키 (공유 기능용)
# https://developers.kakao.com 에서 발급
VITE_KAKAO_JS_KEY=
3 changes: 3 additions & 0 deletions .env.production
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# 프로덕션 서버
VITE_API_URL=https://api.ttorang.com
VITE_APP_TITLE=또랑
25 changes: 20 additions & 5 deletions .github/workflows/firebase-hosting-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,33 @@
# This file was auto-generated by the Firebase CLI
# https://github.com/firebase/firebase-tools

name: Deploy to Firebase Hosting on merge

on:
push:
branches:
- main

jobs:
build_and_deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm ci && npm run build
- uses: FirebaseExtended/action-hosting-deploy@v0

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'npm'

- name: Install dependencies
run: npm ci

- name: Build
run: npm run build
env:
VITE_API_URL: ${{ secrets.VITE_API_URL }}
VITE_KAKAO_JS_KEY: ${{ secrets.VITE_KAKAO_JS_KEY }}

- name: Deploy to Firebase
uses: FirebaseExtended/action-hosting-deploy@v0
with:
repoToken: ${{ secrets.GITHUB_TOKEN }}
firebaseServiceAccount: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_TTORANG }}
Expand Down
26 changes: 21 additions & 5 deletions .github/workflows/firebase-hosting-pull-request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,36 @@
# This file was auto-generated by the Firebase CLI
# https://github.com/firebase/firebase-tools

name: Deploy to Firebase Hosting on PR

on: pull_request

permissions:
checks: write
contents: read
pull-requests: write

jobs:
build_and_preview:
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm ci && npm run build
- uses: FirebaseExtended/action-hosting-deploy@v0

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'npm'

- name: Install dependencies
run: npm ci

- name: Build
run: npm run build
env:
VITE_API_URL: ${{ secrets.VITE_API_URL }}
VITE_KAKAO_JS_KEY: ${{ secrets.VITE_KAKAO_JS_KEY }}

- name: Deploy Preview to Firebase
uses: FirebaseExtended/action-hosting-deploy@v0
with:
repoToken: ${{ secrets.GITHUB_TOKEN }}
firebaseServiceAccount: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_TTORANG }}
Expand Down
56 changes: 51 additions & 5 deletions firebase.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,62 @@
{
"hosting": {
"public": "dist",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"ignore": ["firebase.json", "**/.*", "**/node_modules/**"],
"rewrites": [
{
"source": "**",
"destination": "/index.html"
}
],
"headers": [
{
"source": "**/*.@(js|css)",
"headers": [
{
"key": "Cache-Control",
"value": "public, max-age=31536000, immutable"
}
]
},
{
"source": "**/*.@(jpg|jpeg|png|gif|webp|svg|ico|woff|woff2)",
"headers": [
{
"key": "Cache-Control",
"value": "public, max-age=31536000, immutable"
}
]
},
Comment on lines +12 to +20
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

자바스크립트/CSS 파일과 이미지/폰트 파일에 대한 캐싱 규칙이 동일한 Cache-Control 헤더를 사용하고 있습니다. 이 두 규칙을 하나로 병합하면 firebase.json 설정 파일을 더 간결하게 유지할 수 있습니다.

Suggested change
{
"source": "**/*.@(js|css)",
"headers": [
{
"key": "Cache-Control",
"value": "public, max-age=31536000, immutable"
}
]
},
{
"source": "**/*.@(jpg|jpeg|png|gif|webp|svg|ico|woff|woff2)",
"headers": [
{
"key": "Cache-Control",
"value": "public, max-age=31536000, immutable"
}
]
},
{
"source": "**/*.@(js|css|jpg|jpeg|png|gif|webp|svg|ico|woff|woff2)",
"headers": [
{
"key": "Cache-Control",
"value": "public, max-age=31536000, immutable"
}
]
},

{
"source": "index.html",
"headers": [
{
"key": "Cache-Control",
"value": "no-cache, no-store, must-revalidate"
}
]
},
{
"source": "**",
"headers": [
{
"key": "X-Frame-Options",
"value": "DENY"
},
{
"key": "X-Content-Type-Options",
"value": "nosniff"
},
{
"key": "X-XSS-Protection",
"value": "1; mode=block"
},
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

X-XSS-Protection 헤더는 현재 대부분의 최신 브라우저에서 지원이 중단되었으며, 구형 브라우저에서는 오히려 보안 취약점을 유발할 수 있습니다. 따라서 이 헤더를 제거하는 것이 좋습니다. 대신, 더 강력하고 표준적인 Content-Security-Policy (CSP) 헤더를 설정하여 XSS 공격을 방어하는 것을 권장합니다.

참고: MDN - X-XSS-Protection

{
"key": "Referrer-Policy",
"value": "strict-origin-when-cross-origin"
}
]
}
]
}
}