Firebase Hosting automatically provisions free SSL certificates for all default domains (*.web.app and *.firebaseapp.com). For custom domains, SSL is provisioned automatically after DNS verification completes. To enforce HTTPS redirects, add a headers configuration in firebase.json with Strict-Transport-Security. Firebase Hosting does not support HTTP — all traffic is served over HTTPS by default, so the main task is configuring custom domains and ensuring all resources load over secure connections.
Enabling and Enforcing HTTPS in Firebase Hosting
Firebase Hosting serves all content over HTTPS by default — there is no HTTP-only mode. Default domains (yourproject.web.app and yourproject.firebaseapp.com) get SSL certificates automatically with zero configuration. When you add a custom domain, Firebase provisions a free SSL certificate through Let's Encrypt after DNS verification. This tutorial covers the setup process, HSTS enforcement headers, and troubleshooting certificate issues.
Prerequisites
- A Firebase project with Hosting enabled
- Firebase CLI installed and logged in
- A deployed hosting site (firebase deploy --only hosting)
- Access to DNS settings if using a custom domain
Step-by-step guide
Verify HTTPS works on your default Firebase domain
Verify HTTPS works on your default Firebase domain
Every Firebase Hosting project gets two default domains: yourproject.web.app and yourproject.firebaseapp.com. Both have SSL certificates provisioned automatically. After deploying your site with firebase deploy, visit both URLs in your browser and verify the padlock icon appears. No configuration is needed for these domains.
1# Deploy your site2firebase deploy --only hosting34# Your site is available at:5# https://YOUR-PROJECT.web.app6# https://YOUR-PROJECT.firebaseapp.comExpected result: Both default domains serve your site over HTTPS with valid SSL certificates and the browser shows a padlock icon.
Add a custom domain in the Firebase Console
Add a custom domain in the Firebase Console
To use your own domain (e.g., www.yoursite.com), open the Firebase Console, go to Hosting, and click Add custom domain. Enter your domain name. Firebase will ask you to verify ownership by adding a TXT record to your DNS. After verification, add the A records Firebase provides (typically pointing to 151.101.1.195 and 151.101.65.195). SSL provisioning begins automatically once DNS records propagate.
Expected result: The Firebase Console shows your custom domain with a status of 'Connected' and an SSL certificate status of 'Active'.
Add HSTS headers to enforce HTTPS
Add HSTS headers to enforce HTTPS
While Firebase Hosting always serves over HTTPS, browsers may still attempt HTTP connections on custom domains. Add the Strict-Transport-Security (HSTS) header in your firebase.json to tell browsers to always use HTTPS. The max-age value is in seconds — 31536000 equals one year. The includeSubDomains directive applies the policy to all subdomains.
1{2 "hosting": {3 "public": "dist",4 "headers": [5 {6 "source": "**",7 "headers": [8 {9 "key": "Strict-Transport-Security",10 "value": "max-age=31536000; includeSubDomains"11 },12 {13 "key": "X-Content-Type-Options",14 "value": "nosniff"15 },16 {17 "key": "X-Frame-Options",18 "value": "DENY"19 }20 ]21 }22 ],23 "ignore": ["firebase.json", "**/.*", "**/node_modules/**"]24 }25}Expected result: After deploying, the response headers include Strict-Transport-Security, and browsers automatically upgrade HTTP requests to HTTPS.
Ensure all resources load over HTTPS
Ensure all resources load over HTTPS
Mixed content errors occur when your HTTPS page loads resources (images, scripts, stylesheets) over HTTP. Check your HTML, CSS, and JavaScript for any hardcoded http:// URLs and change them to https:// or use protocol-relative URLs (//). Open your browser's developer tools console and look for mixed content warnings.
1<!-- BAD: HTTP resource on HTTPS page -->2<script src="http://cdn.example.com/lib.js"></script>3<img src="http://example.com/image.jpg" />45<!-- GOOD: HTTPS or protocol-relative -->6<script src="https://cdn.example.com/lib.js"></script>7<img src="https://example.com/image.jpg" />89<!-- ALSO GOOD: Protocol-relative URL -->10<script src="//cdn.example.com/lib.js"></script>Expected result: No mixed content warnings appear in the browser console, and all resources load securely over HTTPS.
Troubleshoot SSL certificate provisioning issues
Troubleshoot SSL certificate provisioning issues
If your custom domain shows 'Needs setup' or 'Pending' for more than 24 hours, the DNS records are likely incorrect. Verify your A records point to the Firebase IP addresses shown in the Console. Check that no CAA records on your domain block Let's Encrypt. If you are using a CDN like Cloudflare in front of Firebase, set the DNS proxy to DNS-only (grey cloud) during provisioning, then re-enable it after the certificate is active.
1# Verify DNS resolution from your terminal2dig A www.yoursite.com +short3# Should return Firebase IP addresses like 151.101.1.19545# Check for CAA records that might block certificate issuance6dig CAA yoursite.com +short7# Should be empty or include letsencrypt.orgExpected result: DNS records resolve to Firebase IPs, no CAA records block certificate issuance, and the SSL certificate shows as Active in the Firebase Console.
Complete working example
1{2 "hosting": {3 "public": "dist",4 "ignore": ["firebase.json", "**/.*", "**/node_modules/**"],5 "rewrites": [6 {7 "source": "**",8 "destination": "/index.html"9 }10 ],11 "headers": [12 {13 "source": "**",14 "headers": [15 {16 "key": "Strict-Transport-Security",17 "value": "max-age=31536000; includeSubDomains"18 },19 {20 "key": "X-Content-Type-Options",21 "value": "nosniff"22 },23 {24 "key": "X-Frame-Options",25 "value": "DENY"26 },27 {28 "key": "Referrer-Policy",29 "value": "strict-origin-when-cross-origin"30 },31 {32 "key": "Content-Security-Policy",33 "value": "upgrade-insecure-requests"34 }35 ]36 },37 {38 "source": "**/*.@(js|css|svg|png|jpg|webp|woff2)",39 "headers": [40 {41 "key": "Cache-Control",42 "value": "public, max-age=31536000, immutable"43 }44 ]45 }46 ]47 }48}Common mistakes when enabling and Enforce HTTPS in Firebase Hosting
Why it's a problem: Waiting for an SSL certificate without having correct DNS A records
How to avoid: Firebase can only provision SSL certificates after your DNS records correctly point to Firebase's IP addresses. Verify with dig A yourdomain.com and ensure the returned IPs match what the Firebase Console shows.
Why it's a problem: Using Cloudflare's proxy (orange cloud) during initial SSL provisioning
How to avoid: Cloudflare's proxy intercepts the certificate validation request. Set the DNS record to DNS-only (grey cloud) during provisioning, then re-enable the proxy after the certificate is active.
Why it's a problem: Hardcoding http:// URLs in your HTML, causing mixed content warnings
How to avoid: Replace all http:// resource URLs with https:// or protocol-relative (//). Add the Content-Security-Policy: upgrade-insecure-requests header as a safety net.
Why it's a problem: Setting HSTS max-age to a long period before verifying HTTPS works correctly
How to avoid: Start with a short max-age (3600 seconds) while testing. Once confirmed, increase to 31536000 (one year). A long HSTS max-age with misconfigured HTTPS locks users out.
Best practices
- Use the default .web.app domain for staging and the custom domain for production
- Add HSTS headers with includeSubDomains to enforce HTTPS across all subdomains
- Include additional security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy) alongside HSTS
- Add Content-Security-Policy: upgrade-insecure-requests to automatically fix mixed content
- Set immutable cache headers for hashed static assets to maximize CDN performance
- Test SSL certificate status in the Firebase Console before going live with a custom domain
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
Show me how to enable and enforce HTTPS on Firebase Hosting with a custom domain. Include the firebase.json configuration for HSTS headers, security headers, and SPA rewrites. Also explain how to add a custom domain in the Firebase Console and troubleshoot SSL certificate provisioning.
Create a complete firebase.json configuration for Firebase Hosting that enforces HTTPS with HSTS headers, adds security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP), configures SPA rewrites, and sets immutable cache headers for static assets.
Frequently asked questions
Does Firebase Hosting support HTTP without HTTPS?
No. Firebase Hosting serves all content over HTTPS exclusively. There is no way to serve content over plain HTTP. Any HTTP requests are automatically redirected to HTTPS.
Do I need to buy an SSL certificate for my custom domain?
No. Firebase automatically provisions free SSL certificates through Let's Encrypt for all custom domains. The certificate renews automatically before expiration.
How long does it take for a custom domain SSL certificate to be provisioned?
After DNS records are correctly configured and propagated, SSL provisioning typically takes 10-30 minutes. In rare cases, it may take up to 24 hours. If it takes longer, check your DNS configuration.
Can I use a wildcard SSL certificate on Firebase Hosting?
No. Firebase provisions individual certificates for each domain you add. You must add each subdomain separately in the Firebase Console.
What happens if my SSL certificate expires?
Firebase automatically renews SSL certificates before they expire. If renewal fails (usually due to DNS changes), the Firebase Console shows a warning. Fix the DNS records and the certificate will renew automatically.
Can RapidDev help configure Firebase Hosting with custom domains and security headers?
Yes, RapidDev can set up your Firebase Hosting configuration with custom domains, SSL, HSTS headers, security headers, CDN caching rules, and SPA routing for production deployment.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation