Merge pull request #98 from acaptutorials/dev

v1.3.6

Author: acaptutorials

README.md

@@ -163,4 +163,7 @@ https://hub.docker.com/r/acaptutorials/acaptutorials.github.io
 | DOCKERHUB_USERNAME | Docker Hub username |
 
 @acaptutorials<br>
-20240806
+20240806<br>
+20250601
+
+

docs/pages/articles/_meta.json

@@ -3,5 +3,6 @@
   "deployment-vercel": "Deployment to Vercel",
   "pdf-development": "PDF Development",
   "provinces-municipalities": "Provinces and Municipalities",
-  "opensource-libraries": "Open Source Libraries"
+  "opensource-libraries": "Open Source Libraries",
+  "security-bestpractices": "Security Best Practices"
 }

docs/pages/articles/security-bestpractices.mdx

@@ -0,0 +1,36 @@
+# 🔐 ACAP Developer Security Best Practices Checklist
+
+> This checklist, reflecting the needs of the [Security](/security) section and the [ACAP Professional Mindset on Security](https://github.com/acaptutorials/acaptutorials/blob/main/README.md#-acap-professional-mindset-on-security), enumerates the desirable traits and mindsets of programmers, especially for **code maintainers** or **main/primary ACAP lead developers** handling ACAP development.
+>
+> ✅ Use this checklist as a guideline along with the [Security](#security) expectations during planning, code reviews, or when designing features that handle user input, authentication, or database operations.
+
+### 1. Mindset and Responsibility
+- [ ] I prioritize **user safety and data protection** over rapid feature delivery.
+- [ ] I integrate **security considerations in every development phase**—from design to deployment.
+- [ ] I recognize that **security is a shared team responsibility**, not a post-incident task.
+
+### 2. Firestore & Backend Practices
+- [ ] I **avoid writing to Firestore directly from the front-end** when the data is sensitive or requires validation.
+- [ ] I implement **strong Firestore security rules** that match the expected schema and use strict access controls.
+- [ ] I **validate all input server-side**, even if it’s also validated on the front-end.
+
+### 3. Input Handling and Content Security
+- [ ] I sanitize **WYSIWYG or HTML-formatted input** to prevent XSS or unsafe content injection.
+- [ ] I use **established libraries and sanitization methods** instead of building ad-hoc solutions for HTML or user input.
+- [ ] I escape user-generated content correctly in all **PDFs, emails, and rendered UI components**.
+
+### 4. Data Structure Integrity
+- [ ] I enforce **tight schema validation** to prevent Firestore document pollution (uncontrolled key-value growth).
+- [ ] I use **Firebase Cloud Functions or middle-layer APIs** to validate and shape incoming data before writing to the database.
+- [ ] I regularly monitor for **unexpected document structures or recursive collections**.
+
+### 5. Security Reports and Technical Debt
+- [ ] I take **security concerns seriously**, especially those that are **clearly reproducible** or reported by team members.
+- [ ] I **do not delay security fixes** unless justified with clear documentation and risk mitigation steps.
+- [ ] I log and track known vulnerabilities as **actionable backlog items**, not as "someday" issues.
+
+### 6. Team Collaboration and Growth
+- [ ] I am **open to feedback** and security advice from peers, even if it challenges my current approach.
+- [ ] I **communicate blockers** early if I need help on a security implementation.
+- [ ] I actively **share security learnings** with the rest of the team (e.g., via code reviews or internal notes).
+

docs/pages/directories/client.mdx

@@ -2,7 +2,7 @@ import { FileTree, Callout } from 'nextra/components'
 
 # Client
 
-The **client** directory contains codes and configurations/settings for the (React) NextJS front end and Firebase. The folder tree displays the relevant files and folders.
+The **client** directory contains codes and configurations/settings for the (React) NextJS v13 + Material UI v5 front end and Firebase. The folder tree displays the relevant files and folders.
 
 The NextJS frontend uses the [**pages router**](https://nextjs.org/docs/pages) since this is suitable for generating static pages to host on GitHub Pages. It uses the `"container component"` as a dominant pattern, also known as `"component and presentational"` components, for distinguishing between logic (container) and UI (component).
 

docs/pages/references.mdx

@@ -23,16 +23,17 @@ This section contains URL links to partners and various online references used b
 
 <div className="text-semibold text-sm text-purple-500 no-underline hover:underline">
 - [NextJS](https://nextjs.org/)
-- [Material UI](https://mui.com/material-ui/)
+- [Material UI 5 (MUI5)](https://mui.com/material-ui/) - version 5 (v5)
 - [GitHub Pages](https://pages.github.com/)
+- [Firebase JavaScript SDK](https://firebase.google.com/docs/web/setup) - Firebase Authentication, Cloud Firestore and Cloud Storage
 - [Firebase Hosting](https://firebase.google.com/docs/hosting/)
 </div>
 
 ### Backend
 
 <div className="text-semibold text-sm text-purple-500 no-underline hover:underline">
 - [NodeJS](https://nodejs.org/en)
-- [Firebase Admin SDK](https://firebase.google.com/docs/admin/setup)
+- [Firebase Admin SDK](https://firebase.google.com/docs/admin/setup) - Firebase Auth, Cloud Firestore and Cloud Storage
 - [Render](https://render.com/)
 - [Vercel](https://vercel.com/)
 - [GitHub Actions](https://docs.github.com/en/actions)

docs/pages/requirements.mdx

@@ -14,7 +14,7 @@ This post describes the dependencies and requirements needed to run run ACAP 1.0
 #### Main Development
 
 1. Visual Studio Code (VSCode) IDE
-   - version: v1.79.2 (any version that can run NodeJS)
+   - version: v1.79.2 (or versions capable of running NodeJS in its Integrated Terminal)
 2. nvm
    - <Callout>
      **nvm** is optional, if you can install NodeJS LTS version 16.14.2 on **item #3**
@@ -45,12 +45,12 @@ This post describes the dependencies and requirements needed to run run ACAP 1.0
 3. JavaScript
 4. GitHub
 5. Firebase
-   - Firebase for Web
-   - Firebase for NodeJS (Firebase Admin)
-   - Firebase Services (Components)
+   - [Firebase JavaScript SDK (for frontend web clients)](https://firebase.google.com/docs/web/setup)
+   - [Firebase Admin SDK (for backend NodeJS)](https://firebase.google.com/docs/admin/setup)
+   - Firebase Services (Components) - used within the contexts of the **Firestore JavaScript SDK** and the **Firebase Admin SDK**
       - Authentication <sup>[[1]](https://firebase.google.com/docs/auth/)</sup>
-      - Firestore <sup>[[2]](https://firebase.google.com/docs/firestore/)</sup>
-      - Storage <sup>[[3]](https://firebase.google.com/docs/storage/)</sup>
+      - Firestore (Cloud Firestore) <sup>[[2]](https://firebase.google.com/docs/firestore/)</sup>
+      - Storage (Cloud Storage) <sup>[[3]](https://firebase.google.com/docs/storage/)</sup>
       - Hosting <sup>[[4]](https://firebase.google.com/docs/hosting/)</sup> _(Only used with the **development** environment)_
 
 ### Cloud Service Accounts (standard pricing)

docs/pages/security.mdx

@@ -99,6 +99,10 @@ Since ACAP's initial development in 2022, many of these libraries may have becom
 
 Developers maintaining ACAP are encouraged to <u>monitor and update these dependencies as needed</u> to benefit from performance improvements, security patches, and new features, possibly requiring using <u>newer Node versions</u>.
 
+## ✅ Checklist
+
+The [ACAP Developer Security Best Practices Checklist](/articles/security-bestpractices) article summarizes the main points and highlights of this section and mentions the desirable traits and mindset when it comes to security.
+
 ## Related
 
 - [Server Notes](/directories/server)