Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to restrict Firebase data modification?

Firebase provides database back-end so that developers can focus on the client side code.

So if someone takes my firebase uri (for example, https://firebaseinstance.firebaseio.com) then develop on it locally.

Then, would they be able to create another app off my Firebase instance, signup and authenticate themselves to read all data of my Firebase app?

like image 427
rattanak Avatar asked Feb 15 '16 20:02

rattanak


People also ask

How do you secure rules in Firebase?

How do they work? Firebase Security Rules work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths. All Rules across Firebase products have a path-matching component and a conditional statement allowing read or write access.

How do I set rules in Firebase database?

These rules are hosted on Firebase servers and are applied automatically at all times and you can change the rules of your database in Firebase console. You just have to select your project, click on the Database section on the left and select the Rules tab.

How do I protect my Firebase API key?

Be sure your Firebase project is still selected. Click Create credentials > API key. Take note of the new API key, then click Restrict key. In the API restrictions section, select Restrict key, then add to the list only the Super Service API .


1 Answers

@Frank van Puffelen,

You mentioned the phishing attack. There actually is a way to secure for that.

If you login to your googleAPIs API Manager console, you have an option to lock down which HTTP referrer your app will accept request from.

  1. visit https://console.developers.google.com/apis
  2. Go to your firebase project
  3. Go to credentials
  4. Under API keys, select the Browser key associated with your firebase project (should have the same key as the API key you use to initialize your firebase app.)
  5. Under "Accept requests from these HTTP referrers (web sites), simply add the URL of your app.

This should only allow the whitelisted domain to use your app.

This is also described here in the firebase launch-checklist here: https://firebase.google.com/support/guides/launch-checklist

Perhaps the firebase documentation could make this more visible or automatically lock down the domain by default and require users to allow access?

like image 104
prufrofro Avatar answered Sep 18 '22 15:09

prufrofro