This document outlines the security practices and policies for the File Sharing App.
Variables prefixed with NEXT_PUBLIC_ are exposed in the browser and are considered public:
NEXT_PUBLIC_FIREBASE_*- Firebase configuration (public keys only)NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY- Clerk public key
These variables should ONLY exist on the server and in .env.local:
CLERK_SECRET_KEY- Clerk secret key- Any database credentials
- Any API secrets
# ✅ Good - .gitignore prevents accidental commits
.env.local
.env.*.local
# ❌ Bad - Never commit these files
git add .env.local// ✅ Good
const apiKey = process.env.NEXT_PUBLIC_FIREBASE_API_KEY;
// ❌ Bad
const apiKey = "AIzaSyCtyJ0kuvbIN30oLdQw6ji5GFZYihFdYuw";Ensure your Firebase Firestore and Storage rules are properly configured:
- Only authenticated users can upload files
- Users can only access their own files
- Shared files have specific permissions
- Always use Clerk middleware for protecting routes
- Verify user identity before operations
- Use server-side validation
- Validate file types on the server
- Limit file sizes
- Scan for malicious content
- Implement rate limiting
If you discover a security vulnerability, please email security@example.com instead of using the issue tracker.
- Go to Firebase Console
- Project Settings → Service Accounts
- Generate new keys
- Update
.env.local - Redeploy application
- Go to Clerk Dashboard
- API Keys section
- Rotate secret keys
- Update
.env.local - Redeploy application
Before deploying to production:
- All secrets are in environment variables
-
.env.localis in.gitignore - No hardcoded credentials in source code
- Firebase security rules are configured
- Clerk environment variables are set
- HTTPS is enabled
- Rate limiting is implemented
- File upload validation is enabled
- User authentication is required for file access
Keep track of:
- User registrations
- File uploads/deletions
- File sharing actions
- Access attempts to shared files
Last Updated: 2026-04-07