Technology

Moving from Firebase to Cloudflare & Astro Beta 6

Cloudflare and Astro Beta 6

There has been a lot of jitter in the tech community lately regarding Astro being too close to Cloudflare. While Cloudflare has supported Astro since the beginning, the news finally broke in mid-January that Cloudflare is acquiring Astro.

I am just a simple user of the tech that is freely available, and that is where I am learning more about CSS, JS, and the web. For over five years, I have been super happy with Google Firebase and its ecosystem for hosting. Ultimately, however, I thought: why not try Cloudflare for a while and see how it works for my workflows and projects?. If it works, great; if not, I can always move back to Firebase.

The Migration: Leaving Firebase for Cloudflare

So, in a fit of tech madness this Friday (6th Feb 2026), I changed my DNS, and now santm.com is pointing to Cloudflare. The initial DNS cutover was super easy—I just had to delete the current records and point them toward Cloudflare.

Terminal window
~$ curl -I https://santm.com
HTTP/1.1 200 OK
Date: Fri, 06 Feb 2026 16:41:03 GMT
Content-Type: text/html
Connection: keep-alive
CF-Cache-Status: HIT
Cache-Control: public, max-age=0, must-revalidate
ETag: "94f1bc3a66db26aeb423bee3deb14739"
Server: Cloudflare

At the same time, I moved myself to Astro Beta 6. There were no major changes to my codebase yet, but it looks like the big change Astro is bringing—one that might break code—is the new Content Security Policy (CSP).

The Security Header Horror

I ran my site through SecurityHeaders.com I went from a secure setup on Firebase to a big red ‘F’ on Cloudflare. This meant my site was missing basic protections against XSS (Cross-Site Scripting) and clickjacking. I used to rely on firebase.json to directly modify my headers. To my horror, as soon as I rechecked my security headers, I saw a big “F”.

F for FAILED
F for FAILED

I tried my best to read the documentation quickly and fix it, but I couldn’t get it to work. My mind wasn’t fresh, and it was getting too late in the night, so I left it there. I tried to implement the built-in new CSP, but for some reason, it just wouldn’t work out. I was getting this error:

error
astro "check"
[config] Astro found issue(s) with your configuration:
!
security.csp: Did not match union.
Expected type boolean | directives.2
Received { "directives": [ "default-src 'self'", ... ] }
ELIFECYCLE Command failed with exit code 1.

Saturday Success

Coming back to it on Saturday afternoon with a good rest and a fresh mind, I started fixing things one at a time. First, I fixed the “Strict HTTPS,” which helped me move from an F to a D.

First Change, all HTTPS
First Change, all HTTPS
From F to D
From F to D

From there, I correctly implemented the HTTP CSP headers and ultimately secured an A.

From D to C as enforced strict transport
From D to C as enforced strict transport
Started working with the rules
Started working with the rules
From C to B
From C to B
Permission Policy and Strict Transport Properly
Permission Policy and Strict Transport Properly
At last back to A
At last back to A

And then when i did curl again I could see all my headers. I’m at an A, but still using ‘unsafe-inline’ for styles/scripts. To be really secure, I’ll need to move those to external files.

Terminal window
HTTP/1.1 200 OK
Date: Sat, 07 Feb 2026 15:04:52 GMT
Content-Type: text/html
Connection: keep-alive
CF-Cache-Status: HIT
Cache-Control: public, max-age=0, must-revalidate
ETag: "94f1bc3a66db26aeb423bee3deb14739"
Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=rnSTMMlxsXULvVnUSPT%2BaZ%2Fh1WBn5mfLmGtpasr7WG81s7lbUBsuPVWGVWUhA3rF3qEbxWs8KB6OXgjney%2B11iBWGgmw3br1ug%3D%3D"}]}
Nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
expect-ct: max-age=86400, enforce
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
Content-Security-Policy: default-src 'self'; connect-src 'self' https://api-gateway.umami.dev https://cloud.umami.is https://api.unsplash.com https://unsplash.com; font-src 'self' https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' santm.com unpkg.com cdnjs.cloudflare.com https://cloud.umami.is https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: *.tile.openstreetmap.org *.cartocdn.com https://images.unsplash.com https://plus.unsplash.com https://ik.imagekit.io/; frame-src https://www.youtube.com https://youtube-nocookie.com *.google.com https://www.facebook.com santm.com
Permissions-Policy: camera=(), geolocation=(), fullscreen=(self), autoplay=(self), payment=()
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 9ca3c8414e4974f4-MAA
alt-svc: h3=":443"; ma=86400

Tags

#astro #cloudflare #coding #firebase

About the Author

Photo of Santanu

Santanu

A nature lover, runner, travel enthusiast, and occasional baker. He dives into web development and cloud technologies, always exploring and building with curiosity.

View all posts →