+ 2
Insecure Firebase security rules?
I got an email from Firebase saying my security rules are insecure. 🤨 My security rules say... allow read: if false, allow update: if false, allow delete: if false, allow create; The user can literally only create a document, that’s it. The email states that anyone can write to my db but that’s not true. Write means update, delete, and create... Do my rules look insecure to anyone?
20 ответов
+ 2
Yes they can if they have your DB link since you allow create am I wrong .so the only way you could secure it with uid I.e add login and while the user create account it create uid so any one which have account it can create in DB
+ 2
Ananaya Jemberu What if I only allow requests from my website? Would I still be threatened?
+ 2
Firebase may send you this message because anyone can't read but can create unnecessary data who have DB link , but if you want it's okay
To clarify your question
What kind of data you are storing in it user profile or just public data or suggestion for you or private data, what kind of website you want to make with it , social media, .to suggest you weather it's secure or not please answer the question
+ 2
So keep it as it is safe as I see in your answer no need to hide the key (obfuscate) and to fear
+ 2
Yeah, I have used firebase for a while don't worry, they can't read
you can obfuscate, as you answer my question "it doesn't matter weather they can post" if you want this you don't have to
see this post https://www.medium.com/@devesu/how-to-secure-your-firebase-project-even-when-your-api-key-is-publicity-available-a462a2a58843
+ 1
use this code as eg
match /internal/{imageId} {
allow read: if request.auth != null;
}
for more see https://firebase.google.com/docs/storage/security/rules-conditions
+ 1
If you secure it with uid the request will be from your website only, any one who have your DB link can't see
so it will be secure, I have use ifrebase for almost all my androidd projects it is still secure
+ 1
Ananaya Jemberu If i go to google cloud, there’s a setting where you can only allow requests from your website. Ill use that
+ 1
Ananaya Jemberu I mean they can't read my db because read is false. They can't delete or update, that's false too. They can only make a document, how is that harmful? I dont understand
+ 1
Ananaya Jemberu I’m only storing the users email for a blog website. No one can read it, and i dont really care if someone puts random data. No one can read users emails so it should be ok right? If you think there is some threat please tell me so I can find an alternative
+ 1
What about you, do you want to read the emails ?
+ 1
Ananaya Jemberu Yes I am able to read them
+ 1
Ananaya Jemberu Do you think I should obfuscate my api key and db info so i