Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to make sure only my own website (clientside code) can talk to Firebase backend?

I've read about Firebase and it looks awesome for what I want to do. I've read about authentication and how based on rules certain logged-in users are authorized to do different stuff. Al good.

However, I'm unsure about another type of security: how do I make sure that only my own site (using client-side javascript) can talk to my firebase-backend? I'm asking because afaik there's no way to prevent anyone from looking up my firebase endpoint from the client-side code (url pointing to my specific firebase backend) and start using that for god knows what.

This is especially worrisome in situations in which I want to open up writes to the anonymous user role. (e.g: some analytics perhaps)

Any help in clearing my mind on this much appreciated.

like image 969
Geert-Jan Avatar asked Sep 19 '13 08:09

Geert-Jan


People also ask

Can we use Firebase as backend for website?

Firebase is a fully managed backend service that gives you best-in-class infrastructure for your web apps, handling everything from user authentication and server scaling, right through to crash analytics and a reliable testing environment. Just set it and forget it.

Should I use Firebase or create my own backend?

If you need to achieve a proof of concept with minimal resources, then Firebase is a good choice because it's free for a number of users and is preferable for the beginning. You may control the system and make changes while adapting the market, and later it may be easily converted into a customized backend.

Do you need a backend If you use Firebase?

You can use firebase to skip backend programming, or even user firebase to setup a nodejs backend (functions). The bad thing about not using a backend is security, you would need to master firebase security rules to completely protect data.

Can you write backend for Firebase?

The firebase cloud messaging (FCM) allows you in delivering the push messages to indicate something of interest to the users of your app. You can send a message through two easy ways. First, you can write code on the backend to ping your app every time something gets updated, for example, direct users notifications.


1 Answers

Update (May 2021): Thanks to the new feature called Firebase App Check, it is now actually possible to limit calls to your backend service to only those requests coming from iOS, Android and Web apps that are registered in your Firebase project.

You'll typically want to combine this with the user authentication based security that Kato describes below, so that you have another shield against abusive users that do use your app.

In my opinion, this isn't so much a question about Firebase's security as a general discussion of the internet architecture as it stands today. Since the web is an open platform, you can't prevent anyone from visiting a URL (including to your Firebase) any more than you can prevent someone from driving past your house in the real world. If you could, a visitor could still lie about the site of origin and there is no way to stop this either.

Secure your data with authentication. Use the Authorized Domains in Forge to prevent CSRF. Put security rules in place to prevent users from doing things they should not. Most data writes you would use a server to prevent can be accomplished with security rules alone.

This is actually one of the finer qualities of Firebase and API services in general. The client is completely isolated and thus easily replaced or extended. As long as you can prove you're allowed in, and follow the rules, where you call in from is unimportant.

Regarding anonymous access, if you could make them visit only from your site, that still won't stop malicious writes (I can open my JavaScript debugger and write as many times as I want while sitting on your site). Instead, place tight security rules on the format, content, and length of data writable by anonymous users, or save yourself some time and find an existing service to handle your analytics for you, like the ubiquitous Google Analytics.

You can, of course, use a server as an intermediary as you would with any data store. This is useful for some advanced kinds of logic that can't be enforced by security rules or trusted to an authenticated user (like advanced game mechanics). But even if you hide Firebase (or any database or service) behind a server to prevent access, the server will still have an API and still face all the same challenges of identifying clients' origins, as long as it's on the web.

Another alternative to anonymous access is to use custom login, which would allow a server to create its own Firebase access tokens (a user wouldn't necessarily have to authenticate for this; the signing of the tokens is completely up to you). This is advantageous because, if the anonymous user misbehaves, the access token can then be revoked (by storing a value in Firebase which is used by the security rules to enforce access).

UPDATE

Firebase now has anonymous authentication built into simple login, no need to use custom login for common use cases here.

like image 156
Kato Avatar answered Nov 15 '22 13:11

Kato