- Window: 15 minutes
- Max Requests: 10 per IP address per window
- Headers: Returns
X-RateLimit-RemainingandRetry-Afterheaders - Storage: In-memory (resets on server restart)
- API Key: Required for all API requests
- Header:
X-API-Key - Environment:
INTERNAL_API_KEY(server-side only)
- Size Limit: 10KB maximum payload
- Input Sanitization: Map codes limited to 20 characters
- Region Validation: Only allowed regions accepted
- Required Fields: Comprehensive validation for all endpoints
- Origins: Restricted to your domain only
- Methods: POST and OPTIONS only
- Headers: Content-Type and X-API-Key allowed
- Preflight: Proper OPTIONS handling
X-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 1; mode=blockReferrer-Policy: strict-origin-when-cross-originPermissions-Policy: geolocation=(), microphone=(), camera=()
- Read: Public access for all users
- Create: Authenticated users only
- Update: Owner or admin only
- Delete: Admin only
- Read: Public profile data, private for sensitive info
- Write: Users can only modify their own data
- Read/Write: Authenticated users only
- Ownership: Users can only modify their own votes
Optimized indexes for:
- Category + creation date
- Region + creation date
- Difficulty + creation date
- Net votes (descending)
- Vote score (descending)
- Views (descending)
- Creation date (descending)
- Map code + region (duplicate prevention)
# Firebase Configuration
NEXT_PUBLIC_FIREBASE_API_KEY=your_api_key_here
NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN=your_project.firebaseapp.com
NEXT_PUBLIC_FIREBASE_PROJECT_ID=your_project_id
NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET=your_project.appspot.com
NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID=your_sender_id
NEXT_PUBLIC_FIREBASE_APP_ID=your_app_id
NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID=your_measurement_id
# API Security
INTERNAL_API_KEY=your-strong-random-secret
NEXT_PUBLIC_API_KEY=your-strong-random-secret- Click "Enable API"
firebase deploy --only firestore- Set production domain in CORS configuration
- Use strong, unique API keys
- Never commit secrets to version control
β No API Keys in Client Code: All sensitive operations server-side only β Rate Limiting: Prevents abuse and DoS attacks β Input Validation: Prevents injection attacks β CORS Restrictions: Prevents unauthorized cross-origin requests β Security Headers: Protects against common web vulnerabilities β Firestore Rules: Database-level access control β Request Size Limits: Prevents buffer overflow attacks β Error Handling: No sensitive information leaked in errors
- Rate limiting logs IP addresses and timestamps
- API requests are logged for monitoring
- Firestore rules prevent unauthorized access
- Indexes ensure query performance
- Security headers protect against web attacks
- Implement Redis for distributed rate limiting
- Add request logging to external service
- Implement API versioning
- Add request/response encryption
- Implement OAuth2 for enhanced authentication