This project uses environment variables to secure sensitive Firebase configuration data.

1. Copy the environment template:

   cp .env.example .env

2. Update .env with your Firebase config:

   • Go to Firebase Console
   • Select your project
   • Go to Project Settings > General
   • Copy your Firebase configuration values
   • Replace the placeholder values in .env

• ✅ NEVER commit .env files to version control
• ✅ Use environment variables for all sensitive data
• ✅ Use different Firebase projects for development/production
• ✅ Regularly rotate API keys
• ✅ Set up Firebase security rules

For Firestore, add these security rules in Firebase Console:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Messages can be read/written by authenticated users only
    match /messages/{document} {
      allow read, write: if request.auth != null;
    }
  }
}

For Firebase Storage (if using file uploads):

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}

When deploying to production (Vercel, Netlify, etc.):

1. Set environment variables in your hosting platform
2. Use the same variable names (VITE_FIREBASE)
3. Never expose sensitive keys in client-side code
4. Consider using Firebase Admin SDK for server-side operations

If you accidentally committed sensitive keys:

1. Immediately regenerate your Firebase API keys
2. Update your .env file with new keys
3. Remove the sensitive commit from git history:

   git filter-branch --force --index-filter \
   'git rm --cached --ignore-unmatch src/firebase-config.js' \
   --prune-empty --tag-name-filter cat -- --all

4. Force push to remote repository
5. Update any deployed applications with new keys

If you have security concerns or find vulnerabilities, please:

• Open a security issue (mark as security vulnerability)
• Contact maintainers directly
• Follow responsible disclosure practices