Clinical Horizon handles sensitive healthcare infrastructure data.
We take the security of this platform seriously and appreciate responsible disclosure.
| Version | Supported |
|---|---|
main branch (latest) |
✅ Active |
| Older tagged releases | ❌ No longer supported |
- All protected routes require a valid Firebase session token.
- Firestore Security Rules enforce server-side role checks — the frontend role gating is a UX layer only.
- The hardcoded Master Admin bypass (
admin@bedmgmt.com / MasterAdmin2026!) must be removed or disabled before any production deployment. It exists only for local development convenience. SeeAuthContext.jsx. - Google OAuth is enabled. Revoke OAuth tokens in the Firebase Console if a breach is suspected.
Never commit real credentials.
| Variable | Purpose |
|---|---|
VITE_FIREBASE_API_KEY |
Firebase project API key |
VITE_FIREBASE_AUTH_DOMAIN |
OAuth redirect domain |
VITE_FIREBASE_PROJECT_ID |
Firestore & Auth project |
VITE_FIREBASE_STORAGE_BUCKET |
Firebase Storage |
VITE_FIREBASE_MESSAGING_SENDER_ID |
FCM sender |
VITE_FIREBASE_APP_ID |
Firebase App ID |
VITE_FIREBASE_MEASUREMENT_ID |
Analytics (optional) |
All VITE_ prefixed variables are embedded in the client bundle at build time and are visible to anyone who inspects the JavaScript files. This is standard practice for Firebase web apps — security is enforced by Firestore Security Rules and Firebase App Check, not by keeping keys secret.
Recommended hardening:
- Restrict your Firebase API key in the Google Cloud Console to only your deployed domain.
- Enable Firebase App Check with reCAPTCHA v3 or Device Check.
- Write strict Firestore Security Rules that validate
request.auth.uidand custom claims. - Enable Email Enumeration Protection in Firebase Authentication settings.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Users can only read/write their own profile
match /users/{uid} {
allow read, update: if request.auth != null && request.auth.uid == uid;
allow create: if request.auth != null;
}
// Admins and superadmins can read all user docs
match /users/{uid} {
allow read: if request.auth != null
&& get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role
in ['admin', 'superadmin'];
}
// All other collections — deny by default
match /{document=**} {
allow read, write: if false;
}
}
}
| Risk | Mitigation |
|---|---|
Hardcoded master bypass in AuthContext.jsx |
Remove before production |
| Firebase keys visible in bundle | Restrict in Google Cloud Console + enable App Check |
.env file with real credentials |
Covered by .gitignore; use secrets manager in CI/CD |
dist/ may contain sensitive build data |
Covered by .gitignore |
PatientManagement.jsx.zip and other large dumps |
Excluded by .gitignore |
Please do not open a public GitHub issue for security vulnerabilities.
- Email: shaurya@example.com (replace with your real address)
- Include: description of the vulnerability, reproduction steps, potential impact, and (if possible) a suggested fix.
- You will receive a response within 48 hours.
- Once confirmed and patched, the vulnerability will be disclosed publicly with credit to the reporter (unless you prefer to remain anonymous).
- Vulnerability is reported privately.
- We reproduce and assess severity (CVSS score).
- A patch is developed on a private branch.
- The fix is merged and a new release is tagged.
- A public advisory is published via GitHub Security Advisories.
Thank you for helping keep Clinical Horizon and its users safe.