firebase deploy --only database

This will deploy the rules from database.rules.json to your Firebase Realtime Database.

1. Go to Firebase Console
2. Click "Rules" tab
3. Verify the rules match database.rules.json

Location: index.html

Protection Against:

• XSS (Cross-Site Scripting) attacks
• Code injection
• Clickjacking
• Data exfiltration

What It Does:

• Only allows scripts from trusted sources
• Blocks inline scripts (except whitelisted)
• Prevents loading resources from untrusted domains
• Forces HTTPS connections

Location: src/lib/security.ts

Functions:

• sanitizeInput() - Removes HTML/script tags
• sanitizeHtml() - Cleans rich text content
• isValidEmail() - Email format validation
• isValidUrl() - URL validation

Usage:

import { sanitizeInput } from "@/lib/security";

const userInput = sanitizeInput(rawInput);

Protection Against:

• XSS attacks
• Script injection
• HTML injection

Location: src/lib/security.ts + Admin.tsx

Limits:

• Broadcasts: 10 per minute
• Lockdown toggles: 5 per minute

Protection Against:

• Spam attacks
• DoS (Denial of Service)
• Brute force attempts
• Resource exhaustion

Location: database.rules.json

Rules:

{
  "system/lockdown": {
    ".read": true, // Anyone can read
    ".write": "root.child('users').child(auth.uid).child('isOwner').val() === true" // Only platform owner can write
  }
}

Protection Against:

• Unauthorized lockdown activation
• Data tampering
• Privilege escalation

Features:

• 30-minute auto-logout
• Activity tracking
• Secure token generation

Protection Against:

• Session hijacking
• Unauthorized access
• Timing attacks

Location: index.html

Headers Implemented:

• X-Frame-Options: SAMEORIGIN - Prevents clickjacking
• X-Content-Type-Options: nosniff - Prevents MIME sniffing
• Referrer-Policy: strict-origin-when-cross-origin - Privacy protection
• Permissions-Policy - Restricts browser features

1. ✅ Never share admin credentials
2. ✅ Use strong, unique passwords
3. ✅ Enable 2FA on Firebase account
4. ✅ Monitor audit logs regularly
5. ✅ Review Firebase Console for suspicious activity

1. ✅ Always use sanitizeInput() for user input
2. ✅ Never store sensitive data in localStorage
3. ✅ Keep dependencies updated
4. ✅ Review security rules before deployment
5. ✅ Use environment variables for secrets

• Primary Platform Owner (Designated in Database)
• Authorized Operations Admins

To Add New Admin:

1. Update database.rules.json:

".write": "root.child('users').child(auth.uid).child('role').val() === 'super_admin'"

2. Update src/hooks/useAuth.tsx ADMIN_EMAILS array
3. Deploy: firebase deploy --only database

• Deploy Firebase security rules
• Verify admin email whitelist
• Test rate limiting
• Test input sanitization
• Verify CSP headers
• Check HTTPS enforcement
• Review environment variables
• Test session timeout

• Monitor Firebase Console
• Check for failed auth attempts
• Review lockdown logs
• Test admin access
• Verify student restrictions

VITE_AGORA_APP_ID=your_app_id
VITE_TOKEN_SERVER_URL=your_server_url
VITE_AI_API_URL=your_ai_url

• API keys in firebase.ts are PUBLIC (safe to commit)
• Security comes from Firebase Rules, not API key secrecy

1. Immediate: Activate Emergency Lockdown
2. Rotate: Change admin password
3. Review: Check Firebase Console logs
4. Update: Deploy new security rules
5. Notify: Inform affected users

• Firebase Support: https://firebase.google.com/support
• Admin Contact: Refer to Platform Directory

// Try to inject script
const malicious = "<script>alert('XSS')</script>";
const safe = sanitizeInput(malicious);
// Result: "&lt;script&gt;alert('XSS')&lt;/script&gt;"

1. Try broadcasting 11 times in 1 minute
2. Should see "Rate Limit Exceeded" after 10th attempt

1. Try to write to /system/lockdown as non-admin
2. Should fail with "Permission Denied"

Your app now has military-grade security with multiple layers of defense!

Last Updated: 2026-01-01 Security Level: MAXIMUM