This document outlines important security practices when using and deploying the Switch Board project.
- DO NOT commit Firebase credentials to the repository
- DO NOT commit WiFi passwords
- DO NOT commit API keys or tokens
- Always use
.envfiles for sensitive data
Use environment variables instead of hardcoding credentials:
Dashboard (.env.local)
VITE_FIREBASE_API_KEY=xxx
VITE_FIREBASE_DATABASE_URL=xxx
ESP32 (Use platformio.ini or board config)
build_flags =
-D WIFI_SSID="YOUR_SSID"
-D WIFI_PASSWORD="YOUR_PASSWORD"Implement proper security rules in Firebase:
{
"rules": {
"led": {
".write": "auth != null && auth.uid == 'AUTHORIZED_USER_UID'",
".read": "auth != null && auth.uid == 'AUTHORIZED_USER_UID'"
},
"fan": {
".write": "auth != null && auth.uid == 'AUTHORIZED_USER_UID'",
".read": "auth != null && auth.uid == 'AUTHORIZED_USER_UID'"
},
"socket": {
".write": "auth != null && auth.uid == 'AUTHORIZED_USER_UID'",
".read": "auth != null && auth.uid == 'AUTHORIZED_USER_UID'"
}
}
}- Use strong, unique passwords
- Enable two-factor authentication on Firebase account
- Use service accounts for server-to-server communication
- Rotate credentials regularly
In Firebase Console:
- Go to Project Settings > API keys
- Restrict keys to Realtime Database
- Set IP restrictions for production
- Use WPA2/WPA3 encryption
- Use strong WiFi passwords (16+ characters)
- Hide SSID for additional security (optional)
- Use separate IoT network if available
- Always use HTTPS for web dashboard in production
- Enable SSL certificate verification
- Use Firebase's built-in SSL support
- Update firmware regularly
- Use secure boot if available
- Don't expose serial debug ports in production
- Use JTAG/debugger protection
- Implement safe failure modes
- Use redundant safety mechanisms
- Regular maintenance and inspection
- Proper electrical safety standards
// Good: Validate user before allowing changes
const user = auth.currentUser;
if (user && user.emailVerified) {
// Allow operation
}
// Bad: No validation
// Directly modify database without checkingImplement rate limiting to prevent abuse:
// Implement exponential backoff on repeated failures
const MAX_RETRIES = 3;
const RETRY_DELAY = 1000; // ms- Don't log credentials
- Don't store unnecessary personal data
- Comply with GDPR/privacy regulations
- Implement data retention policies
- Use encrypted connections (HTTPS/TLS)
- Consider database encryption
- Encrypt sensitive configuration files
# Check for vulnerabilities
npm audit
# Update dependencies
npm update
# Fix security issues
npm audit fix- Only use packages from official sources
- Check package maintainers
- Review package.json dependencies
- Use lock files (package-lock.json)
- No hardcoded secrets
- Security rules configured in Firebase
- HTTPS enabled
- Strong authentication in place
- Regular backups
- Monitoring and logging
- Access control configured
- Rate limiting implemented
- Use environment variables for all secrets
- Restrict API key permissions
- Enable CORS appropriately
- Implement request validation
- Use security headers
- Monitor Firebase usage
- Set up alerts for unusual activity
- Review access logs
- Check failed authentication attempts
- Log important events
- Don't log sensitive data
- Implement log rotation
- Secure log storage
- Immediately rotate all credentials
- Revoke Firebase tokens
- Change WiFi password
- Update ESP32 firmware
- Review security rules
- Check Firebase for unauthorized changes
- Do NOT post security vulnerabilities publicly
- Email security report to project maintainers
- Include detailed vulnerability description
- Allow reasonable time for patching
Before deploying to production:
- All credentials in environment variables
- Firebase security rules implemented
- HTTPS enabled
- Strong passwords set
- API keys restricted
- Rate limiting configured
- Access logs reviewed
- Backup strategy in place
- Monitoring configured
- Team trained on security
Security is everyone's responsibility. Thank you for keeping Switch Board secure!