Serverless Deployment and Security Hardening

The subject of this project is a real-time multiplayer web application deployed at bentwalad.netlify.app ↗. The technology choices were deliberately constrained: a single static HTML file, no server, no build pipeline, and no backend beyond what Firebase provides. This constraint is worth examining from a security standpoint because it removes the server-side trust layer that most web security models assume.

When there is no server, there is no place to validate requests before they reach the database. All business logic runs in the client. All database writes come directly from user browsers. All credentials are embedded in the source. This shifts the entire security responsibility onto two surfaces: the database access control rules, and the defensiveness of the client-side code. Both were found to have significant gaps on initial deployment and were hardened through three audit cycles.