Security Headers and the Undocumented Google CDN PURGE
07 April 19

I’m a big fan of Google’s Firebase hosting, auth and databases, but sometimes the whole serverless architecture thing is a bit frustrating when you get to the nitty gritty.

TL;DR: while implementing security response headers the Google CDN that is behind Firebase Hosting cached the root of my website and gave me this weird encoding error that stopped my site from loading. I found an undocumented way, curl -X PURGE , to clear Google Hosting’s CDN cache by reading lots of stuff.

At some point I had a typo in one of the headers which caused the following:

Image of Encoding Error

No matter what I did in terms of redeploying the config file which sets the response headers - the response headers for stayed the same.

I tried all the following:

  • removing the custom headers from my config one by one and deploying
  • updating all NPM packages related to Firebase
  • disabling Firebase hosting and reenabling it
  • checking through the Google Cloud Console exhaustively looking for anything that was related to Firebase hosting config, headers, caches, etc…
  • killing ALL THE CACHES in all the browsers (even the additional browsers I installed to see if it was a cache thing)

In this case I found the solution through reading and research - deep in a Google Group about Firebase there was an “undocumented” command to purge the CDN cache for a particular URL on Google’s hosting:

curl -X PURGE


< Return to posts