Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to restrict Firebase data modification?

Tags:

security

firebase

Firebase provides database back-end so that developers can focus on the client side code.

So if someone takes my firebase uri (for example, https://firebaseinstance.firebaseio.com) then develop on it locally.

Then, would they be able to create another app off my Firebase instance, signup and authenticate themselves to read all data of my Firebase app?

like image 427
rattanak Avatar asked Feb 15 '16 20:02

rattanak

People also ask

How do you secure rules in Firebase?

How do they work? Firebase Security Rules work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths. All Rules across Firebase products have a path-matching component and a conditional statement allowing read or write access.

How do I set rules in Firebase database?

These rules are hosted on Firebase servers and are applied automatically at all times and you can change the rules of your database in Firebase console. You just have to select your project, click on the Database section on the left and select the Rules tab.

How do I protect my Firebase API key?

Be sure your Firebase project is still selected. Click Create credentials > API key. Take note of the new API key, then click Restrict key. In the API restrictions section, select Restrict key, then add to the list only the Super Service API .

1 Answers

@Frank van Puffelen,

You mentioned the phishing attack. There actually is a way to secure for that.

If you login to your googleAPIs API Manager console, you have an option to lock down which HTTP referrer your app will accept request from.

  1. visit https://console.developers.google.com/apis
  2. Go to your firebase project
  3. Go to credentials
  4. Under API keys, select the Browser key associated with your firebase project (should have the same key as the API key you use to initialize your firebase app.)
  5. Under "Accept requests from these HTTP referrers (web sites), simply add the URL of your app.

This should only allow the whitelisted domain to use your app.

This is also described here in the firebase launch-checklist here: https://firebase.google.com/support/guides/launch-checklist

Perhaps the firebase documentation could make this more visible or automatically lock down the domain by default and require users to allow access?

like image 104
prufrofro Avatar answered Sep 18 '22 15:09

prufrofro
Sign in to Comment

Related questions

The EXECUTE permission is denied on the user-defined table types?
Securely storing passwords for use in python script [duplicate]
Which $_SERVER variables are safe?
How do you set up use HttpOnly cookies in PHP
How permission can be checked at runtime without throwing SecurityException?
https URL with token parameter : how secure is it?
SSL and man-in-the-middle misunderstanding
Is there a difference between authentication and authorization?
best practice to generate random token for forgot password
client secret in OAuth 2.0
What's the right OAuth 2.0 flow for a mobile app
How to limit setAccessible to only "legitimate" uses?
What is SQL injection? [duplicate]
Disable-web-security in Chrome 48+
How do I secure REST API calls?
Best practices around generating OAuth tokens?
Why use an API key and secret?
What are the risks of running 'sudo pip'?
The necessity of hiding the salt for a hash
Why is printf with a single argument (without conversion specifiers) deprecated?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!