Is it acceptable to leave a database (Cloud Firestore) unsecured when no site login is required?

Question

I'm building a game with Angular and (for the first time ever) I'm trying to add a high score table. I have set up a Firebase account and got a Firestore (Beta) database working and hooked up.

I want a very simple high score system. Users will not be required to log in or create an account, you simply turn up, play and then, if you achieve a high score, enter your name and it is recorded and displayed in the table.

So my question is - in a situation where no login is required and only basic name/score/timestamp data is saved, is it acceptable to just leave my security rules as below or is there a better way to structure them?

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write;
    }
  }
}

As they are, I get a warning that my database is open to anyone with the reference but is this really so bad in my particular situation? Are there issues with this that I'm not seeing as database newb?

Any advice would be great as this is new (and complex) territory for me.

Cheers

Answer 1

I wish I could use red blinking underlined text here, but you should definitely not leave your database with this ruleset in place.

Anyone who plays your game will see your database. With the ruleset you have, anyone can read and write anything to the database (not just your score board). You'll be allow anyone to run their own system using your database, with the costs being charged to your account.

At a minimum, given the description you've provided, you should:

• Only allow reading & writing to your score board collection
• Validate the score is a valid value (e.g. an integer and within a certain range
• Validate the name is a valid value (help protect against possible XSS attacks)
• Validate no extra fields other than score and name be being written to a document (so people can't hide other payloads).

Answer 2

Generally speaking, those settings are used for testing purposes. You can allow users to read from your database only when you decide that those informations can be public. If you have sensitive information (i.e. user informations), it's mandatory to secure your database and allow only the users you that you decide that can read that informations. So if you decide later to add autentication, then it's a must to secure your database. That's the same regarding writting purposes.

Hope it helps.