hi i'm working with angular and firebase, in a web app, if i open the browser tools on console, i can see the connection keys to my firebase it's very bad.
the rules in firebase is the solution at this problem. but all answers i found are based on auth of users and on my web app is not necesary auth. how i can set rules so that only my web app can read and write without users auth. because if i create another projec and i use the same keys i can map the database and anyone can update the data thanks
p.d. my rules actually are read=true and write=true, this allows anyone to read and write.
{
"rules": {
".read": "true != null",
".write": "true != null"
}
}
P.d. my web app is hosted in Firebase Hosting thanks again
This is not possible with security rules. If you don't restrict usage with Firebase Authentication, that means anyone with an internet connection can read and write your database.
Related
I am new to Firebase. Recently I registered my web-app and my android app in my firebase project. I have a Realtime Database in my project where the following rules are set:
{
"rules": {
".read": "auth !== null",
".write": "auth !== null"
}
}
I just got an email today from firebase saying that my database is insecure as any authenticated user can modify it. So my question is what rules do I set in my database such that only some users registered in my firebase project (i.e., my web app and my android app) can access it?
The simplest way to allow only users of your app to access the data, is to implement Firebase App Check in the application and then enforce that for the Realtime Database.
This topic has been covered quite a few times before, so I recommend also checking out:
Locking down Firebase DB access to specific apps
Firebase rules that supports only requests from my apps
How do I prevent other users from accessing my Realtime Database via my Firebase URL? What must I do to secure it to only my domain?
First of all, understand that you cannot secure any URL on the internet according to the origin domain--malicious users can simply lie. Securing the origin domains is only useful in preventing cross-site spoofing attacks (where a malicious source pretends to be your site and dupes your users into logging in on their behalf).
The good news is that users are already prevented from authenticating from unauthorized domains from the start. You can set your authorized domains in Forge:
type your Firebase url into a browser (e.g. https://INSTANCE.firebaseio.com/)
log in
click on the Auth tab
add your domain to the list of Authorized Requests Origins
select a "provider" you want to use and configure accordingly
Now to secure your data, you will go to the security tab and add security rules. A good starting point is as follows:
{
"rules": {
// only authenticated users can read or write to my Firebase
".read": "auth !== null",
".write": "auth !== null"
}
}
Security rules are a big topic. You will want to get up to speed by reading the overview and watching this video
Setup security Rules,
source to learn : https://firebase.google.com/docs/rules
Use Emulators (It will make keys not easy to visible by beginner programmers)
, source : https://firebase.google.com/docs/rules/emulator-setup
Cloud Functions (It will hide the names of Collections and Docs)
, https://firebase.google.com/docs/functions
Limit the API keys to specific website/s(It will make peoples unable to access your website/app from outside)
if someone knows more methods, please tell, no one can be perfect.
I need to implement chatting for a mobile app that talks to my own server, so the registered user information is on my own server. So, if I use firebase real-time database for chatting, how do I write the security rules like these:
".read": "auth != null", ".write": "auth != null"
So the scenario is, my user's information are on my own server, in my own database. I want to use firebase to implement a chat
How do I write the database rules that prevents anyone from reading the messages from database (by hitting the URL maybe ?)
Yours is precisely the scenario that Firebase Custom Authentication was made for.
On your server you authenticate your user against your own user database, then you mint a JSON Web Token with the information about that user that you want Firebase to know. At the very least the token should contain a uid, but it may contain more information that you can then access in your security rules. Once you've created the JWT, return it to your user.
In your app, you then use the JWT to sign in with Firebase. For example on Android that means, you'll call the FirebaseAuth.signInWithCustomToken() method.
For more information see the Firebase Database Server documentation.
This question already has an answer here:
how to make sure only my own website (clientside code) can talk to Firebase backend?
(1 answer)
Closed 7 years ago.
I am using firebase for my android app and using anonymous authentication. Now anyone can see the url by monitoring the requests or reverse engineering the app.
And then make his own app with my firebase url and use use anonymous authentication. So how to prevent this?
I am using anonymous authentication so that nobody can use the rest endpoints.
I have read the below post but i don't understand how to prevent this.
How to prevent other access to my firebase
My writes are authenticated with email + password.
My reads are authenticated by anonymous authentication.
You cannot prevent other people from seeing your Firebase url.
Firebase provides you with a cool dashboard from where you can block non-authorized people from fetching your database information. Make sure you have the following code under your "Security & Rules" tab:
{
"rules": {
// only authenticated users can read or write to my Firebase
".read": "auth !== null",
".write": "auth !== null"
}
}
How do I prevent other users from accessing my Realtime Database via my Firebase URL? What must I do to secure it to only my domain?
First of all, understand that you cannot secure any URL on the internet according to the origin domain--malicious users can simply lie. Securing the origin domains is only useful in preventing cross-site spoofing attacks (where a malicious source pretends to be your site and dupes your users into logging in on their behalf).
The good news is that users are already prevented from authenticating from unauthorized domains from the start. You can set your authorized domains in Forge:
type your Firebase url into a browser (e.g. https://INSTANCE.firebaseio.com/)
log in
click on the Auth tab
add your domain to the list of Authorized Requests Origins
select a "provider" you want to use and configure accordingly
Now to secure your data, you will go to the security tab and add security rules. A good starting point is as follows:
{
"rules": {
// only authenticated users can read or write to my Firebase
".read": "auth !== null",
".write": "auth !== null"
}
}
Security rules are a big topic. You will want to get up to speed by reading the overview and watching this video
Setup security Rules,
source to learn : https://firebase.google.com/docs/rules
Use Emulators (It will make keys not easy to visible by beginner programmers)
, source : https://firebase.google.com/docs/rules/emulator-setup
Cloud Functions (It will hide the names of Collections and Docs)
, https://firebase.google.com/docs/functions
Limit the API keys to specific website/s(It will make peoples unable to access your website/app from outside)
if someone knows more methods, please tell, no one can be perfect.