If I were to build a site without database interaction (no login on the site) with firebase. Do I need to change default security rules that looks like this: <pre class="prettyprint"><code> { "rules": { ".read": true, ".write": true } } </code></pre> This red exclamation sign in the security & rules section says that I better write some security rules. So the question is, is it safe to leave this as is if you don't use login/signup ?

The thing is, FireBase has changed a lot. The new admin area has predefined security measures in place. So, you don't really have to worry about that anymore. The default set of rules are <pre class="prettyprint"><code>{ "rules": { ".read": "auth != null", ".write": "auth != null" } } </code></pre> And in case you want to open them up for both read and write permissions, you can roll back to <pre class="prettyprint"><code>{ "rules": { ".read": true, ".write": true } } </code></pre>

With the default rule: <pre class="prettyprint"><code> "rules": { ".read": true, ".write": true } </code></pre> everybody can read and can write your data using the Android,IOS and WEB SDKs. You should provide a kind of authentication with a Token or with Email/Password authentication. <pre class="prettyprint"><code> "rules": { ".read": "auth !== null", ".write": "auth !== null", } </code></pre> Pay attention because your rules don't effect what you can or can't do in the Firebase dashboard. Anyone with access to the dashboard, including collaborators who you share your Firebase dashboard with, can circumvent the rules. More info here.

Do I have to change security rules in firebase if I'm not using database?

Tags:

firebase

firebase-realtime-database

firebase-security

firebase-hosting

If I were to build a site without database interaction (no login on the site) with firebase. Do I need to change default security rules that looks like this:

 {
        "rules": {
            ".read": true,
            ".write": true
        }

 }

This red exclamation sign in the security & rules section says that I better write some security rules. So the question is, is it safe to leave this as is if you don't use login/signup ?

364

asked May 04 '16 06:05

Un1

2 Answers

The thing is, FireBase has changed a lot. The new admin area has predefined security measures in place. So, you don't really have to worry about that anymore.

The default set of rules are

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

And in case you want to open them up for both read and write permissions, you can roll back to

{
   "rules": {
     ".read": true,
     ".write": true
   }
}

answered Sep 18 '22 23:09

Ahmad Awais

With the default rule:

 "rules": {
            ".read": true,
            ".write": true
        }

everybody can read and can write your data using the Android,IOS and WEB SDKs.

You should provide a kind of authentication with a Token or with Email/Password authentication.

 "rules": {
         ".read": "auth !== null",
         ".write": "auth !== null",       
       }

Pay attention because your rules don't effect what you can or can't do in the Firebase dashboard. Anyone with access to the dashboard, including collaborators who you share your Firebase dashboard with, can circumvent the rules.

More info here.

answered Sep 18 '22 23:09

Gabriele Mariotti

Related questions
                            
                                Error when trying to add downloadUri to firestore document. "Could not serialize object. Exceeded maximum depth of 500"
                            
                                Flutter: How to remove a specific array data in firebase
                            
                                Firestore: Error: 4 DEADLINE_EXCEEDED: Deadline exceeded
                            
                                Flutter Firebase Auth: A network error (such as timeout, interrupted connection or unreachable host) has occurred
                            
                                ERROR in node_modules after updating the npm?
                            
                                Firebase + Chrome content security policy settings?
                            
                                Android Firebase - Can't receive proper JSON from Firebase snapshot
                            
                                Firebase v3 updateProfile Method
                            
                                Using Same Firebase App With Web and Mobile App
                            
                                How to compare old and new value with Cloud Functions for Firebase with .onWrite or onchange?
                            
                                Firebase 'bytesTransferred': Property 'bytesTransferred' does not exist on type 'Object'
                            
                                Can PHP retrieve data from Firebase / Firestore?
                            
                                Firebase Functions Deploy looking in wrong directory for Node_Modules
                            
                                Permission denied using Firebase database with Flutter
                            
                                Flutter: generate release SHA1 fingerprint
                            
                                How to convert GeoPoint in Firestore to LatLng
                            
                                Can't link app in Fabric to existing Firebase project
                            
                                Adding Firebase Crashlytics either crash in runtime or fail unit test build
                            
                                Upload APNs to Firebase console fails - "There is no Team ID stored for this app"
                            
                                ERROR NullInjectorError: R3InjectorError(AppModule)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With