- All collections protected with read/write rules
- User data isolated by userId
- Admin-only write access for users collection
- Default deny-all for unlisted collections
# Install Firebase CLI (if not installed)
npm install -g firebase-tools
# Login to Firebase
firebase login
# Initialize Firebase (if not done)
firebase init firestore
# Deploy security rules
firebase deploy --only firestore:rulesOr manually:
- Go to Firebase Console
- Select project:
assexp-8524b - Navigate to Firestore Database β Rules
- Copy content from
firestore.rulesand publish
- β Remember Me functionality with persistent login
- β Session stored in localStorage (persistent) or sessionStorage (temporary)
- β Auto-redirect to appropriate dashboard (admin/assistant)
- β Secure logout clears all session data
Session Storage:
localStorage.teamUser- User data (when Remember Me is checked)localStorage.teamRememberMe- Remember Me preferencelocalStorage.teamLoginTime- Login timestampsessionStorage.teamUser- Temporary session (when Remember Me unchecked)
- β Installable on iPhone/Android home screen
- β Standalone mode (opens like native app, no browser UI)
- β Service Worker for offline caching
- β Custom splash screen and icons
- β Persistent login when launched from home screen
How to Install on iPhone:
- Open https://assexp.pages.dev in Safari
- Tap Share button (square with arrow)
- Scroll down and tap "Add to Home Screen"
- Tap "Add" in top right
- App icon appears on home screen
- Launch from home screen - opens in standalone mode!
Features:
- App stays logged in (with Remember Me)
- No browser address bar
- Full screen experience
- Offline support (cached pages)
- Fast loading
Deployed via Cloudflare Pages:
- X-Frame-Options: DENY - Prevents clickjacking
- X-Content-Type-Options: nosniff - Prevents MIME sniffing
- X-XSS-Protection: Enabled - XSS filter active
- Referrer-Policy: strict-origin-when-cross-origin
- Strict-Transport-Security: HTTPS enforcement
- Content-Security-Policy: Prevents XSS and injection attacks
- Permissions-Policy: Blocks unnecessary browser features
- β
robots.txtblocks search engine indexing - β No public access without login
- β API keys protected (client-side validation)
Current Status:
- Firebase config is PUBLIC (normal for web apps)
- LLM, Telegram, ElevenLabs keys are in
js/config.js(client-accessible)
Recommendations:
β
Works fine for private team app
β
Firebase rules protect data access
Implement Cloudflare Workers for:
- LLM API calls
- Telegram notifications
- ElevenLabs voice generation
Steps:
- Create Cloudflare Worker endpoints
- Store API keys as Worker secrets
- Client calls Worker, Worker calls external APIs
- Keys never exposed to client
- Try accessing admin.html without login β redirected to index.html
- Try accessing assistant.html without login β redirected to index.html
- Login with wrong password β error message
- Login with Remember Me checked β stays logged in after browser restart
- Login without Remember Me β logged out after browser restart
- Logout β session cleared, redirected to login
- Install app to home screen
- Launch app from home screen β opens in standalone mode (no Safari UI)
- App stays logged in between launches
- Close and reopen β still logged in (with Remember Me)
- Logout and reopen β shows login screen
- Open app while online
- Turn off WiFi/data
- Navigate between cached pages β works
- Try to login offline β fails (needs network)
- Turn WiFi back on β login works
- User can only read/write their own data
- Cannot access other users' collections
- Cannot modify users collection
- Production URL: https://assexp.pages.dev
- Latest Deploy: https://7a4c52b6.assexp.pages.dev
- Platform: Cloudflare Pages
cd /Users/perignon/Desktop/mori-team-app
git add -A
git commit -m "your commit message"
npx wrangler pages deploy . --project-name=assexp --commit-dirty=true- URL bar visible
- Browser controls
- "Website" feel
- Logs out between sessions
- Full screen
- No browser UI
- Native app feel
- Stays logged in
- Faster loading
- Offline support
-
Never commit real API keys to Git
- Current keys should be rotated if repo becomes public
- Use environment variables for production
-
Regular Security Audits
- Check Firebase rules monthly
- Review access logs
- Update dependencies
-
User Management
- Change passwords via Firebase Console
- Deactivate users by deleting from users collection
- Monitor login activity
-
Backup Strategy
- Export Firestore data monthly
- Keep backup of configuration files
- Document custom Firebase rules
-
Rotate all API keys immediately:
- Firebase: Generate new config
- OpenRouter: Regenerate key
- Telegram: Create new bot via @BotFather
- ElevenLabs: Generate new API key
-
Update
js/config.jswith new keys -
Deploy immediately
-
Check for unauthorized usage in API dashboards
- Immediately update Firebase Security Rules to deny all
- Export all data for forensics
- Reset all user passwords
- Investigate access logs
- Restore from backup if needed
- Two-Factor Authentication (2FA)
- IP Whitelisting via Cloudflare
- Audit Logging (track all data changes)
- Encrypted Field Storage (for sensitive data)
- Session Timeout (auto-logout after inactivity)
- Rate Limiting (prevent brute force attacks)
- Backend API Gateway (hide all API keys)
Last Updated: 2026-02-04 Security Level: π’ PROTECTED