Security & Protection While Firebase does have a CDN, it doesn't offer you distributed denial of service attacks (DDoS) prevention, web application firewall (WAF), or rate-limiting. All of these are incredibly important to prevent malicious actors from breaking your system or stealing your data.
Security informationFirebase services encrypt data in transit using HTTPS and logically isolate customer data. In addition, several Firebase services also encrypt their data at rest: Cloud Firestore. Cloud Functions for Firebase.
If you use password-based Firebase Authentication and someone gets hold of your API key, they will not be able to access any of your Firebase project's database or Cloud Storage data as long as this data is protected by Firebase Security Rules.
With Firebase, you don't build a SQL command (or any string command composed of various parts that require escaping) in order to execute a query. Instead, you use an API provided by the SDK, and pass strings that are automatically managed by the API. This means that SQL injection is not an issue here.
I am trying to understand/anticipate the security considerations associated with using firebase as a backend.
The documents cover authenticating users and validating input, but I can not find any discussion of risk associated with malicious users trying to inject javascript into the database.
Is it possible that javascript could be included in an input field that is saved to the database that then could be executed later when that code is retrieved and displayed elsewhere?
Or is firebase escaping or sanitizing data somehow?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With