Firebase × Vue.js のSPAの脆弱性診断（OWASP ZAP）の警告解決

前提・実現したいこと

Firebase × Vue.js でシングルアプリケーションを開発しました。
セキュリティが気になったので、OWASP ZAPで脆弱性診断を実行し、でてきた問題を解決しています。

下記の問題については、firebase.jsonを修正することで解決できました。

• X-Frame-Optionsヘッダーの欠如
• 不完全なキャッシュ制御やPragma HTTP ヘッダー設定

しかし、下記の警告は色々と調べてみたものの、解決できませんでした。
①アプリケーションエラーの開示
⇒　Vue側の設定の問題？（vue.config.js）

②Session ID in URL Rewrite
⇒　Firestoreのメソッドを使用しているだけなので、セッションIDをURLに含めない方法がわからず。

③Cross-Domain Misconfiguration
⇒　？？？

④不完全なキャッシュ制御やPragma HTTP ヘッダー設定
⇒　firebase.jsonで"Cache-Control"に"private, no-store, no-cache, must-revalidate"を設定したところ、私が開発したサイトのURLでの警告は消えた。

上記の警告は、そもそも致命的な脆弱性になり得るのか、どのように解決すればいいかをご教示頂きたいです。

警告内容詳細

①アプリケーションエラーの開示

Description:
This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URL:
https://%project name%.firebaseapp.com/js/chunk-vendors.70ef397d.js

Method:
GET

Evidence:
internal error

Solution:
Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

②Session ID in URL Rewrite

Description:
URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

URL:
https://firestore.googleapis.com/google.firestore.v1.Firestore/Listen/channel?database=projects%project name%2Fdatabases%2F(default)&gsessionid=xxxxxxx=8&RID=xxx&SID=xxxxxxxx=0&AID=x&TYPE=xmlhttp&zx=xxxxxxx

Method:
GET

URL:
https://firestore.googleapis.com/google.firestore.v1.Firestore/Listen/channel?database=projects%2Fproject name3%2Fdatabases%2F(default)&VER=8&gsessionid=xxxxxxxx&SID=xxxxxxxx&RID=xxxxx&TYPE=terminate&zx=xxxxxxx

Method:
POST

Solution:	
For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

③Cross-Domain Misconfiguration

Descrption:
Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server

URL:
https://fonts.gstatic.com/s/roboto/v20/xxxxxxxxxxxx.woff2

Method:
GET

Solution:
Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

Other information:
The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

④不完全なキャッシュ制御やPragma HTTP ヘッダー設定

Description:
The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URL:
https://firestore.googleapis.com/google.firestore.v1.Firestore/Listen/channel?database=projects%2Fproject name%2Fdatabases%2F(default)&gsessionid=xxxxxxx&VER=x&RID=xx&SID=xxxxxx&CI=x&AID=x&TYPE=xmlhttp&zx=xxxxxxxx&t=1

Method:
GET

firebase.json

{
  "hosting": {
    "public": "dist",
    "ignore": [
      "firebase.json",
      "**/.*",
      "**/node_modules/**"
    ],
    "rewrites": [
      {
        "source": "**",
        "destination": "/index.html"
      }
    ],
    "headers":[
      {
        "source": "**",
        "headers":[
          {
            "key": "X-Frame-Options",
            "value": "DENY"
          },
          {
            "key": "Cache-Control",
            "value": "private, no-store, no-cache, must-revalidate"
          },
          {
            "key": "X-Content-Type-Options",
            "value": "nosniff"
          },
          {
            "key": "X-XSS-Protection",
            "value": "1; mode=block"
          }
        ]
      }
    ]
  }
}

Vue.config.js

module.exports = {
  transpileDependencies: [
    "vuetify"
  ],
  configureWebpack: {
    devtool: 'source-map'
  },
  pwa: {
    iconPaths: {
      favicon16: 'favicon.png',
      favicon32: 'favicon.png',
    }
  }
}