Documentation

Technical documentation for the PestControlOS CRM and Android app.

Architecture, security, Firestore model, and feature details for developers and technical reviewers.

Security controls

Technical measures used to protect data and prevent abuse.

Application layer

  • Firebase App Check : Enabled for web (reCAPTCHA v3) and Android (Play Integrity or SafetyNet). Used to reduce unauthorised API access.
  • Callable functions : All sensitive or write operations from the marketing site (e.g. preview request signup) go through callables. No direct client writes to sensitive collections.
  • Server-side validation : Every callable validates payload (schema, length, honeypot). Never trust client input.

Firestore rules

  • previewRequests : Create-only. No read, update, or delete from client. Schema enforced with request.resource.data.keys().hasOnly(...) and type checks.
  • Other collections : Read/write only when request.auth is set and (where applicable) token claims match resource org/tenant.

Rate limiting

  • Per IP : Limit requests per IP per hour for signup/demo endpoints.
  • Per email : Limit submissions per email per hour to prevent abuse.
  • Counters stored in Firestore (e.g. rateLimits/{ipOrEmail}) or in-memory with fallback. Functions reject when limits are exceeded.

Headers and hosting

  • Security headers on Firebase Hosting: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy. CSP added when it does not break the site.
We use essential cookies and local storage to run this website. See our Cookie Policy.