From 66f8ff0e92ceace15463a77c524b3558de0f5531 Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Fri, 7 Feb 2025 07:06:12 +0800 Subject: [PATCH 1/2] docs: add common xss exploits, #77 --- docs/pages/announcements/firebase-storage-2024.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/announcements/firebase-storage-2024.mdx b/docs/pages/announcements/firebase-storage-2024.mdx index f5cc7b46..dbd9e02c 100644 --- a/docs/pages/announcements/firebase-storage-2024.mdx +++ b/docs/pages/announcements/firebase-storage-2024.mdx @@ -138,7 +138,7 @@ Yes. Some of the latest core deliverables implemented for ACAP in its [ | Criteria | Purpose | ACAP [1.0](/changelog/#version-1-acap-10) | ACAP [2.0](/changelog/#version-2-acap-20) | | --- | --- | :---: | :---: | | User authentication | Authorized, allowed, and predictable operations access to resources | ✅ | ✅ | -| Cross-Site Scripting (XSS) Protection | Predictable billing, reliable/authentic website information, user information confidentiality, predictable data manipulation / SMS sending, protection for unvalidated writes that allow tampering with stored data, impacting system reliability (and protection for other uncontrolled scenarios that stem from XSS) | ✅ | ❌ | +| Cross-Site Scripting (XSS) Protection | Predictable billing, reliable/authentic website information, user information confidentiality, predictable data manipulation / SMS sending, protection for unvalidated writes that allow tampering with stored data, impacting system reliability, protection for injecting malicious scripts that steal user info or redirect users to phishing sites (and protection for other uncontrolled scenarios that stem from XSS) | ✅ | ❌ | | Cloud storage protection | Authorized, allowed, and predictable operations access to storage, predictable billing | ✅ | ✅ | | Database integrity | Accuracy, consistency, and reliability of data stored in a database and presented to users | ✅ | ❌ | | Database protection | Authorized, allowed, and predictable operations access to the (Firestore) database, predictable billing | ✅ | ❌ | From 5b17657f72912613a1d6f956b31b467073e2f05e Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Fri, 7 Feb 2025 07:19:03 +0800 Subject: [PATCH 2/2] chore: link security firebase announcement, #77 --- docs/pages/announcements/firebase-storage-2024.mdx | 2 +- docs/pages/security.mdx | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/pages/announcements/firebase-storage-2024.mdx b/docs/pages/announcements/firebase-storage-2024.mdx index dbd9e02c..bff139b0 100644 --- a/docs/pages/announcements/firebase-storage-2024.mdx +++ b/docs/pages/announcements/firebase-storage-2024.mdx @@ -133,7 +133,7 @@ _All Firebase components service usage (including those not used by ACAP) will o
-Yes. Some of the latest core deliverables implemented for ACAP in its [2.0](/changelog/#version-2-acap-20) version **introduced security flaws** not present in the initial ([1.0](/changelog/#version-1-acap-10) ) version, which had strictly followed security guidelines and adhered to best practices in web development security, effectively preventing these issues. Based on the following criteria, the new security flaws introduced in version 2.0 resulted in a **60% reduction in the established security from version 1.0**. +Yes. Some of the latest core deliverables implemented for ACAP in its [2.0](/changelog/#version-2-acap-20) version **introduced security flaws** not present in the initial ([1.0](/changelog/#version-1-acap-10)) version, which had strictly followed [security guidelines](/security) and adhered to best practices in web development security, effectively preventing these issues. Based on the following criteria, the new security flaws introduced in version 2.0 resulted in a **60% reduction in the established security from version 1.0**. | Criteria | Purpose | ACAP [1.0](/changelog/#version-1-acap-10) | ACAP [2.0](/changelog/#version-2-acap-20) | | --- | --- | :---: | :---: | diff --git a/docs/pages/security.mdx b/docs/pages/security.mdx index 6d793b20..bcc407b5 100644 --- a/docs/pages/security.mdx +++ b/docs/pages/security.mdx @@ -55,14 +55,16 @@ Manually test and ensure, using the Firebase Storage Web APIs, that: - Ensure that forked **climate-services-webportal-v1** (ACAP 1.0) or **acap-v2** (ACAP 2.0) monorepo code base or copies remain PRIVATE in GitHub and other public platforms. - - ## User/Admin Accounts 1. Ensure that Admin accounts are created by the superadmin in the NodeJS backend using [Firebase Authentication](https://firebase.google.com/docs/auth/) with [Firebase Custom Claims](https://firebase.google.com/docs/auth/admin/custom-claims), leveraging the [Firebase Admin SDK](https://firebase.google.com/docs/admin/setup) to ensure maximum security. 2. More information about ACAP 1.0's Security requirements are available in its Software Requirements Specifications document available in this [link](https://github.com/amia-cis/acap-v2/blob/dev/docs/acap_1.0_software_requirements_specification_v4.0.pdf) (accessible only for developers with access). +## Related + +- [Firebase Storage Announcements 2024 - Security Concerns](/announcements/firebase-storage-2024) + ## References ### Firebase Authentication