From 2ee755f56130ecc83ef01987ea9fb61ab010ccf9 Mon Sep 17 00:00:00 2001
From: acaptutorials <acap.tutorials@gmail.com>
Date: Fri, 7 Feb 2025 23:30:36 +0800
Subject: [PATCH] docs: link security and server pages to security concerns,
 #77

---
 .../announcements/firebase-storage-2024.mdx     | 17 +++++++++--------
 docs/pages/changelog.mdx                        |  2 +-
 docs/pages/security.mdx                         |  5 +++--
 3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/docs/pages/announcements/firebase-storage-2024.mdx b/docs/pages/announcements/firebase-storage-2024.mdx
index 2d39e348..a87fa6ff 100644
--- a/docs/pages/announcements/firebase-storage-2024.mdx
+++ b/docs/pages/announcements/firebase-storage-2024.mdx
@@ -3,7 +3,7 @@ import { useTheme } from 'next-themes'
 import { Callout } from 'nextra/components'
 import { Table } from 'nextra/components'
 
-export function FAQBox({ title, children, open = false }) {
+export function FAQBox({ title, children, open = false, color = '' }) {
   // Copied from /articles/provinces-municipalities.mdx
   const [isClient, setIsClient] = useState(false)
   const { theme, resolvedTheme } = useTheme()
@@ -28,7 +28,7 @@ export function FAQBox({ title, children, open = false }) {
         className={detailsBgStyle}
       >
         <summary>
-          <strong className="text-md">{title}</strong>
+          <strong className={`text-md ${color}`}>{title}</strong>
         </summary>
         <div className="nx-p-2">{children}</div>
       </details>
@@ -79,10 +79,11 @@ Starting on <span className="font-bold text-md text-green-600">October 30, 2024<
 
 <FAQBox title="Will the other Firebase components used by ACAP be affected?">
 - No, this announcement only affects the <u>Firebase Storage</u>. Discontinued support of the Firebase standard (no-cost) pricing plan only affects the Firebase Storage.
-- Other Firebase components used by ACAP - the <u>Firestore Database</u>, <u>Firebase Authentication</u>, and <u>Firebase Hosting</u> still retain their standard (no-cost) pricing plans until further announcements or changes by Google Firebase.
+- Other Firebase components used and activated by ACAP - the <u>Firestore Database</u>, <u>Firebase Authentication</u>, and <u>Firebase Hosting</u> still retain their standard (no-cost) pricing plans until further announcements or changes by Google Firebase.
 
 <Callout>
-Subscribing to the Firebase Blaze Plan **will automatically enroll** all Firebase components to the pay-as-you-go Blaze plan, not just the Firebase Storage.
+Subscribing to the Firebase Blaze Plan **will automatically enroll** all Firebase components/services to the pay-as-you-go Blaze plan, not just the Firebase Storage.
+However, billing charges beyond the no-cost usage quotas <u>will only incur</u> on <u><b>manually activated</b></u> Firebase services.
 </Callout>
 </FAQBox>
 
@@ -117,7 +118,7 @@ _All Firebase components service usage (including those not used by ACAP) will o
 
 - Firebase usage analytics are accessible at this URL with or without a subscription to the Firebase Blaze plan:
 
-   ```text
+   ```text copy
    https://console.firebase.google.com/project/<YOUR_FIREBASE_PROJECT>/usage
    ```
 
@@ -126,12 +127,12 @@ _All Firebase components service usage (including those not used by ACAP) will o
    <Callout type="warning">
    ACAP expects usage only from the following Firebase services: **Firestore Database**, **Firebase Storage**, **Authentication**, and **Hosting**. [ACAP's Security guidelines](/security) only cover these four (4) Firebase components, aside from general web application security practices and know-how, e.g., stressing the need for data validation <sup>[[1]](/security/#database) [[2]](/directories/server)</sup>.
 
-   > Developers can use other Firebase components as deemed necessary when needed. However, since they are not included originally in the ACAP project Firebase components, developers should care about using them responsibly to avoid incurring Security issues and unexpected billing.
+   > Developers can <u><b>use</b></u> and <u><b>activate</b></u> other Firebase components as deemed necessary when needed. However, since they are not included originally in the ACAP project Firebase components, developers should care about using them responsibly to <u>avoid incurring security issues and unexpected billing</u>.
    </Callout>
 </FAQBox>
 
-<FAQBox title="Are there security considerations that I should be aware of?">
 <div id="security-considerations" />
+<FAQBox title="Are there security considerations that I should be aware of?" color="text-red-700 dark:nx-text-red-200">
 
 Yes. <u>Some of the latest core deliverables</u> implemented for ACAP in its [2.0](/changelog/#version-2-acap-20) version [**introduced security flaws**](/changelog#acap-2-security-debts) not present in the initial ([1.0](/changelog/#version-1-acap-10)) version, which had strictly followed [security guidelines](/security) and adhered to best practices in web development security, effectively preventing these issues. Based on the following criteria, the new security flaws introduced in version 2.0 resulted in a **60% reduction in the established security from version 1.0**.
 
@@ -205,7 +206,7 @@ Key topics to discuss include:
 <Callout type="info">
 ACAP's [Security measures and practices for Firebase](/security) only cover the Firebase components that it actively uses: **Firestore Database**, **Firebase Storage**, **Authentication**, and **Hosting**.
 
-Developers are encouraged to learn more about responsible Security measures and practices for other Firebase components or services, should they feel the need to use [other Firebase services](https://firebase.google.com/products-build) (e.g., **Firebase ML**, **Cloud Functions**, **Extensions**, etc) for their ACAPs other than **four (4) main Firebase components** used by ACAP.
+Developers are encouraged to learn more about responsible Security measures and practices for other Firebase components or services, should they feel the need to <u>use</u> and <u>activate</u> [other Firebase services](https://firebase.google.com/products-build) (e.g., **Firebase ML**, **Cloud Functions**, **Extensions**, etc) for their ACAPs other than **four (4) main Firebase components** used by ACAP.
 </Callout>
 </FAQBox>
 
diff --git a/docs/pages/changelog.mdx b/docs/pages/changelog.mdx
index 97f64f16..d606555f 100644
--- a/docs/pages/changelog.mdx
+++ b/docs/pages/changelog.mdx
@@ -76,7 +76,7 @@ Version 2.0 and later versions may have new requirements that will thrive on new
 
 > These issues, raised during the early 2.0 development phase (June 2024), have been communicated to the new main ACAP code Maintainer, who is also the new primary developer/programmer leading the creation and enhancement of new features for Version 2.0. The new code Maintainer has made thoughtful decisions for balancing development speed with feature delivery, reflecting their understanding of the project's scope and the perceived security needs. They are open to addressing these issues as time and priorities allow within the ACAP project timeline.
 
-**Related topic:** [Security Considerations](/announcements/firebase-storage-2024#security-considerations)
+**Related topic:** [Security Concerns](/announcements/firebase-storage-2024#security-considerations)
 </FAQBoxError>
 
 <br />
diff --git a/docs/pages/security.mdx b/docs/pages/security.mdx
index bcc407b5..f2c5c3ef 100644
--- a/docs/pages/security.mdx
+++ b/docs/pages/security.mdx
@@ -33,7 +33,7 @@ Please ensure continued compliance with these security standards when extending
    - (a) ACAP 1.0's Firestore Rules strictly prohibits **Database #1.a** and **Database #1.b** to enforce this.
    - (b) If new requirements allow item **Database #1.a** to "directly" perform **CREATE/EDIT/DELETE** operations in Firestore collections or documents using the [Firestore Web API](https://firebase.google.com/docs/firestore/quickstart) or [Firestore REST APIs](https://firebase.google.com/docs/firestore/use-rest-api), please ensure that _**"new"**_ and robust [Firestore Rules](https://firebase.google.com/docs/firestore/security/get-started) are created and thoroughly tested. These Rules may need to be separate from ACAP <span className="text-xl font-bold text-red-600">1.0</span>, which _"discourages this approach unless Firestore Rules can be properly enforced"_.
 
-3. Ensure proper server-side validation when mutating data through the backend (NodeJS) REST APIs using **validation scripts** in _middleware_ or the _controller_ scripts.
+3. Ensure proper server-side validation when mutating data through the backend (NodeJS) REST APIs using **validation scripts** in [_middleware_](/directories/server/#middleware) or the [_controller_](/directories/server/#controllers) scripts.
 
 4. Firestore database security relies on properly tested Firestore Rules to ensure security, especially if its rules do not disable all **VIEW/CREATE/EDIT/DELETE** operations.
    - Please ensure that "new" and robust Firestore Rules are created and thoroughly tested, in case new database components or requirements need to be added to the ACAP 1.0 Firestore database.
@@ -63,7 +63,8 @@ Manually test and ensure, using the Firebase Storage Web APIs, that:
 
 ## Related
 
-- [Firebase Storage Announcements 2024 - Security Concerns](/announcements/firebase-storage-2024)
+- [Server Notes](/directories/server)
+- [Firebase Storage Announcements 2024 - Security Concerns](/announcements/firebase-storage-2024#security-considerations)
 
 ## References