Insecure Firebase security rules? | Sololearn: Learn to code for FREE!

+2

Insecure Firebase security rules?

I got an email from Firebase saying my security rules are insecure. 🤨 My security rules say... allow read: if false, allow update: if false, allow delete: if false, allow create; The user can literally only create a document, that’s it. The email states that anyone can write to my db but that’s not true. Write means update, delete, and create... Do my rules look insecure to anyone?

10/3/2020 6:04:31 PM

urlocaldesigal

20 Answers

New Answer

+2

Yes they can if they have your DB link since you allow create am I wrong .so the only way you could secure it with uid I.e add login and while the user create account it create uid so any one which have account it can create in DB

+2

Ananaya Jemberu What if I only allow requests from my website? Would I still be threatened?

+2

Firebase may send you this message because anyone can't read but can create unnecessary data who have DB link , but if you want it's okay To clarify your question What kind of data you are storing in it user profile or just public data or suggestion for you or private data, what kind of website you want to make with it , social media, .to suggest you weather it's secure or not please answer the question

+2

So keep it as it is safe as I see in your answer no need to hide the key (obfuscate) and to fear

+2

Yeah, I have used firebase for a while don't worry, they can't read you can obfuscate, as you answer my question "it doesn't matter weather they can post" if you want this you don't have to see this post https://www.medium.com/@devesu/how-to-secure-your-firebase-project-even-when-your-api-key-is-publicity-available-a462a2a58843

+1

use this code as eg match /internal/{imageId} { allow read: if request.auth != null; } for more see https://firebase.google.com/docs/storage/security/rules-conditions

+1

If you secure it with uid the request will be from your website only, any one who have your DB link can't see so it will be secure, I have use ifrebase for almost all my androidd projects it is still secure

+1

Ananaya Jemberu If i go to google cloud, there’s a setting where you can only allow requests from your website. Ill use that

+1

Ananaya Jemberu I mean they can't read my db because read is false. They can't delete or update, that's false too. They can only make a document, how is that harmful? I dont understand

+1

Ananaya Jemberu I’m only storing the users email for a blog website. No one can read it, and i dont really care if someone puts random data. No one can read users emails so it should be ok right? If you think there is some threat please tell me so I can find an alternative

+1

What about you, do you want to read the emails ?

+1

Ananaya Jemberu Yes I am able to read them

+1

Ananaya Jemberu Do you think I should obfuscate my api key and db info so its more safe?

+1

I mean if you want, by entering your email and password you can only allow yourself to read emails in your website

+1

Ananaya Jemberu Are you sure I shouldn't obfuscate? My api key, storage bucket, db link, everything is in the firebase config. However, read update and delete are all FALSE so even with the link I dont think they can do any harm, right?

+1

Ananaya Jemberu alrighty, sounds good. I guess I will use firebase, but I will obfuscate just for my satisfaction. I hope no one hacks my db thanks for your help 🤗

+1

Ok good luck

0

You can't do that if you can even it is still insecure because hackers can easily put your website link and see other people's data and yours data but if you want your data to be public in your website keep it as it is I.e read : true write : false

0

I mean if you are not storing other people's data and just storing your Data which doesn't matter if any one in your website can see it Just add "read": true, " write": false or if you only want to post in your website go to firebase auth then add user, and in it add ur email and password firebase will generate uid at the right side copy it. then go to forecast database rules add "read": true, " write": "auth.uid == 'paste your uid here' "

0

Does it help