Menu
Is there a way to restrict Cloud Firestore (for hosting/web) to do CRUD operations with restrictions to one domain only, say xyz.com?
For example, the rule below locks read, update, delete without authorisation but you can still write things to the database.
service cloud.firestore {
match /databases/{database}/documents {
match /coming-soon-email-ids/{document=**} {
allow write;
allow read, update, delete: if request.auth.uid == !null;
}
}
}
Or do I have to integrate Google's firewall in it?
639
Firebase security rules aren't able to restrict access to a web domain. In a very general sense, it is not possible, because Firestore is intended to be accessed from mobile clients around the world, using web, Android, and iOS. Android and iOS clients never appear to be coming from some domain. They just directly access the database via the provided client library, or sometimes through the Firestore REST API. Web clients may even spoof their apparent domain (which is only really available by the insecure "Referrer" header in an HTTP request).
You can only really restrict access to users signed in to your app or site using Firebase Authentication, but you can't limit where they come from.
181
I had the same question, and I coming up with a solution. You can do sign In anonymously:
const signIn = async () => {
auth.signInAnonymously()
.then(() => {
// Signed in..
})
.catch((error) => {
var errorCode = error.code;
var errorMessage = error.message;
// ...
});
Then you can put your rules like:
allow read, write: if request.auth != null;
Then in authentication, you can activate the a anonymous method for sign in and add your authorized domains.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
