Having one of application hosted on Firebase with some additional services there (Cloud Firestore, Cloud Storage for Firebase, Cloud Functions for Firebase) decided to make some security scanning. One of the tools https://sitecheck.sucuri.net/ shows me that there's no firewall for it, is it possible? It has reverse proxy & Fastly's CDN, but would be a firewall missing for apps hosted on Firebase Hosting?
Firebase hosting resources access is unfortunately not restricted by any means, check out the question below?
Can Firebase restrict access to resources?
However, There are things you can do in the regard of security:
Use Cloud functions to render dynamic resources and microservices
https://firebase.google.com/docs/hosting/functions
Use Firestore rules to secure the data access
Use Firebase authentication to make sure that only authenticated users can do certain actions
Even though, we all hope for that firewall option to be added.
Best Regards
Firebase Hosting does not have a firewall feature. If you publish content to it, that will be accessible from anywhere there is an internet connection.
Related
What is Firebase Hosting for? Examples? I'm not clear on what it does with respect to hosting a website or server or both....
My understanding of hosting is that one would enlist something like Bluehost or GoDaddy to host a webpage, which they would then upload the website files via an FTP. I see it appears Firebase Hosting may serve a similar purpose and you can add your own domain name like this.
I also understand that websites sometimes require a separate server to do things like: processing requests while keeping secret keys hidden, or rendering a unique webpage server-side and sending a static page to the user. I've used Firebase Realtime Database for non-secure data storage, but I would like to be able to use the hosting as well for serving private user-specific content without exposing keys.
I just did a tutorial to create what seemed like a web app that one would query from another webpage, but I wasn't able to deploy and try it out because of the pay-wall.
Can Firebase Hosting be my secondary server that processes private requests to a database or is it only for hosting a user-facing webpage, or both?
I am new to programming and would appreciate hearing if it seems like I am misunderstanding something within my question. Recommended resources for further learning on this subject are greatly appreciated!
Thank you.
Hosting a static web site
Firebase Hosting on its own is a service for hosting static assets. So in your scenario HTML + CSS + Images + JavaScript files that are included in them. None of this content is executed, or in any other way interpreted, on the Firebase servers. You upload (in Firebase terms "deploy") the files to Firebase, which then distributes then to its global CDN edges, and when your site is visited, the content it served from that CDN.
In the Firebase documentation on what can you host this is referred to as:
Host your single-page web apps, marketing websites, and static and dynamic assets
Hosting a static web site with dynamic content
You can use Firebase with many of the other back-end services to add dynamic functionality to your static web site. For example, you can call Realtime Database from your client-side JavaScript code, and display dynamic data in your static web app that way. Firestore would be similar, which you could use in place of Realtime Database. Similarly you can use Firebase to connect to Cloud Storage, for storing of files, for example to allow your users to upload and view images.
And then you'll typically want to secure access to all this dynamic content. At that point, you use Firebase Authentication to allow your users to sign in, and when you'll use Firebase's server-side security rules, which are available for Realtime Database, Cloud Firestore and Cloud Storage. These rules determine what data or files the users can access.
The Firebase documentation covers this in the section on deep integrations with other Firebase products.
Firebase Hosting works out-of-the-box with Firebase services, including Cloud Functions, Authentication, Realtime Database, Cloud Firestore, and Cloud Messaging. You can build powerful microservices and web apps using these complementary Firebase services.
Adding dynamic server-side pieces to web site
You can integrate Firebase Hosting with Google Cloud Functions and Cloud Run to build dynamic web sites. In those scenarios, you host the server-side code on Cloud Run or Cloud Functions, and set Firebase Hosting up to redirect certain URLs to specific end points in your server-side code.
In the Firebase documentation on what can you host this is referred to as:
Pair Firebase Hosting with Cloud Functions to build microservices using the Express.js framework. This pairing allows you to host your microservices and APIs on Firebase.
This is a web page located on Firebase Hosting, served dynamically through a rewrite to a Cloud Function
When browsing to the url, I receive "Error: Forbidden
Your client does not have permission to get URL [/theURL] from this server.
Everything works as long as I have "allUsers" added as a Cloud Functions Invoker on the function via the GCP console. I have confirmed this with testing just throwing that one switch and getting two different results.
I am logged into my Chrome browser with the same Google account as the owner of the GCP project
I am logged in to my Firebase website (Firebase Authentication and Firestore roles management) using the same Google account, with a Firebase __session cookie and all.
This started when I upgraded my Node.js engine from 8 to 10 with the recent warnings from Google that they're dropping support for 8. (I am assuming, but have no real idea, that the version 8 runtime environment didn't have this feature?)
I wrote these Cloud Functions without any knowledge of GCP authentication, so I am relatively confident that my coding inside the Cloud Function is secure, but if there is another layer of security that I could/should be using, I'm all for it.
I will want this website to be publicly accessible, but I can granulate the functions to public vs. non-public if necessary. (Basically, I was writing them as all publicly accessible and internally authenticated/secured anyway.)
I'm not very knowledgeable at all about the GCP authentication requirements, so it's hard for me to pin this down to one central question, but here are some questions I know I don't know:
Should Firebase Hosting be added as a member to GCP's authentication groups, so that GCP only allows service of a Cloud Function to the rewrite requests? It seems that would be the most secure and straightforward method.
Why is GCP telling my I'm forbidden when I'm the owner of the whole doggone project? Does this have to do with Firebase Rewrite or maybe HTTP requests being anonymous? If so, then how does one authenticate for a Cloud Function anyway?
Sorry for the large scope of the question; any guidance in the right direction is much appreciated.
GCP allUsers is not related to Firebase Authentication. They deal with different sets of users. A function should have GCP allUsers invoker permission in order to allow access from web and mobile apps where users are signed in with Firebase Auth. GCP does not check the Firebase user - that is up to the function to do, if it wants, using the Firebase Admin SDK.
I am working on a platform (www.dashboard.example.com) that has an admin site (www.admin.example.com). Each site is hosted on a different Google Firebase Hosting Project.
I want only certain people to be able to access the admin site. After some consideration, I found an IPSec VPN to be the best solution for me.
I also found that GCP offers a VPN service, but from what I can tell, it seems to only work with google compute engines.
Is there a way to attach a Google VPN to a Firebase Hosted site?
There is no way to attach a Cloud VPN to a Firebase Hosting Project.
In GCP the correct way to restrict the access to your web server/application is by using firewall rules/App Engine's firewall and Cloud VPC/VPN service.
Your approach should be to put a proxy by configuring a Google Compute Engine1 in between your gateway service and your Firebase Hosting Project.
Another approach would be to use Cloud Storage2, as a static website3. You can then create an HTTPS Load Balancer based on Backend Bucket4. With this you can benefit from the advantages of using Load Balancer and also using Cloud VPN.
If you are interested in authentication with Firebase and App Engine I suggest to check the following link 2.
I am using angular 4 angularfire 2 and firebase in an web app. I am conditionate to use firebase as a backend service and because the app has to only be used inside the office i am wondering if there is any way i can configure some firebase rules or anything to make the app not work or be shown from another ip than the office ip. Please leave any kind of way i can do it. Thanks in advance!
There is currently no way to restrict access to a site deployed to Firebase Hosting. It will always be accessible from anywhere in the world that is not blocked by some other firewall.
Using Firebase stack for chrome extensions :) However, have one BIG problem.
Users located in China cant use the app since Google is blocked there thus Firebase authentication fails ... well, one option is to use VPN but in terms of user experience, it's a big No No ... is there any better way to resolve/workaround this issue
Using mainly firebase auth (Google provider) and Firestore
Can use somehow custom tokens to resolve this?
https://firebase.google.com/docs/auth/admin/create-custom-tokens
Or external authentication service combined with firebase, in this case, need to have authenticated access to firestore as well
Create an API on HEROKU. Make all your Oauth and every call made for firebase go through the API. This API will only bridge all information between CHINA and GoogleServices (Firebase) since the great firewall blocks them.
The simplest solution may be to set up a proxy server to forward your apps requests to Firebase.