Security Headers and the Undocumented Google CDN PURGE
07 April 19

I’m a big fan of Google’s Firebase hosting, auth and databases, but sometimes the whole serverless architecture thing is a bit frustrating when you get to the nitty gritty.

TL;DR: while implementing security response headers the Google CDN that is behind Firebase Hosting cached the root of my website and gave me this weird encoding error that stopped my site from loading. I found an undocumented way, curl -X PURGE https://clarx.dev , to clear Google Hosting’s CDN cache by reading lots of stuff.

At some point I had a typo in one of the headers which caused the following:

No matter what I did in terms of redeploying the config file which sets the response headers - the response headers for stayed the same.

I tried all the following:

• removing the custom headers from my config one by one and deploying
• updating all NPM packages related to Firebase
• disabling Firebase hosting and reenabling it
• checking through the Google Cloud Console exhaustively looking for anything that was related to Firebase hosting config, headers, caches, etc…
• killing ALL THE CACHES in all the browsers (even the additional browsers I installed to see if it was a cache thing)

In this case I found the solution through reading and research - deep in a Google Group about Firebase there was an “undocumented” command to purge the CDN cache for a particular URL on Google’s hosting:

curl -X PURGE https://clarx.dev

• https://httpstatus.io/ was a nice way to trace redirects and look at responses - you could use the network tab in Firefox or Chrome, but this is way prettier.
• Scott Helme’s https://securityheaders.com website which checks the security headers present in the response headers for a given website
• SSL Lab’s SSL Test https://www.ssllabs.com/ssltest/ to see if there was an issue with SSL

-N.