Skip to main content

Security Guidelines

warning

If you are connected to this project in any way, you are obligated to take every mesure to secture your work and any assets owned by Hudi, Calm Experts, etc.

This document describes the security measures implemented in the backend, including authentication methods, API key protection, and environment variable management.

Personal

Before you consider any developmental security, you must secure your accounts and devices, follow the Calm Experts Securaty Guidelines

This document describes the security measures implemented in the backend, including authentication methods, API key protection, and environment variable management.

Authentication with Firebase

The backend uses Firebase Authentication to validate users.

  • All private routes (/me, /addUser, etc.) require a valid Firebase ID token.
  • Tokens must be passed in the Authorization header: 
    Authorization: Bearer <firebase_token>
  • The token is verified using Firebase's public keys.
  • After verification, the backend checks if the user exists in the MongoDB database.

API Token Protection

Some public routes require an API token for access.

  • These routes use the checkApiToken() middleware.
  • Clients must include the API token in the header: 
    x-api-key: <API_TOKEN>
  • The expected API token is stored in the .env file.

This mechanism helps prevent abuse of public endpoints by external scripts or bots.

Environment Variables

Sensitive configuration values are stored in .env and .env.local files.

  • These files should never be committed to Git.
  • They must be created manually in the project root.
  • Required variables: 
    API_TOKEN=your_api_token_here
    FIREBASE_PROJECT_ID=your_project_id
    MONGO_DB_URI=your_mongodb_uri

In production environments (e.g., Google Cloud Run), it is recommended to use Secret Manager for managing sensitive data.

  • Secrets can be defined via gcloud or the GCP console.
  • Cloud Run services can access secrets as environment variables.
  • This adds an extra layer of security and avoids hardcoding sensitive values.

Route Access Rules

  • Only explicitly intended routes should be accessible without authentication.
  • Use --allow-unauthenticated on Cloud Run only for public routes.
  • All user-specific data must require Firebase token verification.

Notes

  • Always validate inputs on the backend, even if frontend validation exists.
  • Avoid exposing any user data without authentication.
  • Limit the surface of exposed routes to only what is strictly necessary.

Last updated: 2025-04-01

Security Practices

If you are connected to this project in any other way, we strongly recommend these security measures be taken.

Account Security

To ensure security on all accouts that have access to work related material, follow these instructions.

  • Strong Password

    Do not come up with a password by yourself, use a trusted password generator like chrome browser. That means your google account also must be very secure and follow these practices. Do not store your passwords and any file type other then a dedicated password manager software.

  • 2FA

    You should have 2FA turned on for all accounts that have access to work related materials, including but not limited to those mentioned above.

Locked Devices

Accouts to secure

The account you must secure are listed here

  • Your google accounty

    This accout has access to our work chat and other lighly sensitive work related documents.

  • GitHub

    This has access to our repos and projects, it should be well secured.

Device Security

Any device (phone, laptop or even a smartwatch) must be locked using a fingerprint and pattern or strong password. Short codes or simple patterns are prohibited.

Product Security

APIs

Security

Description Links & Resources

personal securaty

be sure to follow the [Securaty Guidelines]

Data security

Code security