+ 2

Insecure Firebase security rules?

I got an email from Firebase saying my security rules are insecure. 🤨 My security rules say... allow read: if false, allow update: if false, allow delete: if false, allow create; The user can literally only create a document, that’s it. The email states that anyone can write to my db but that’s not true. Write means update, delete, and create... Do my rules look insecure to anyone?

3rd Oct 2020, 6:04 PM
Coder
Coder - avatar
20 ответов
+ 2
Yes they can if they have your DB link since you allow create am I wrong .so the only way you could secure it with uid I.e add login and while the user create account it create uid so any one which have account it can create in DB
3rd Oct 2020, 7:08 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 2
Ananaya Jemberu What if I only allow requests from my website? Would I still be threatened?
3rd Oct 2020, 10:03 PM
Coder
Coder - avatar
+ 2
Firebase may send you this message because anyone can't read but can create unnecessary data who have DB link , but if you want it's okay To clarify your question What kind of data you are storing in it user profile or just public data or suggestion for you or private data, what kind of website you want to make with it , social media, .to suggest you weather it's secure or not please answer the question
5th Oct 2020, 4:49 AM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 2
So keep it as it is safe as I see in your answer no need to hide the key (obfuscate) and to fear
5th Oct 2020, 4:00 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 2
Yeah, I have used firebase for a while don't worry, they can't read you can obfuscate, as you answer my question "it doesn't matter weather they can post" if you want this you don't have to see this post https://www.medium.com/@devesu/how-to-secure-your-firebase-project-even-when-your-api-key-is-publicity-available-a462a2a58843
5th Oct 2020, 4:45 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 1
use this code as eg match /internal/{imageId} { allow read: if request.auth != null; } for more see https://firebase.google.com/docs/storage/security/rules-conditions
3rd Oct 2020, 7:21 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 1
If you secure it with uid the request will be from your website only, any one who have your DB link can't see so it will be secure, I have use ifrebase for almost all my androidd projects it is still secure
4th Oct 2020, 4:37 AM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 1
Ananaya Jemberu If i go to google cloud, there’s a setting where you can only allow requests from your website. Ill use that
4th Oct 2020, 3:19 PM
Coder
Coder - avatar
+ 1
Ananaya Jemberu I mean they can't read my db because read is false. They can't delete or update, that's false too. They can only make a document, how is that harmful? I dont understand
4th Oct 2020, 7:53 PM
Coder
Coder - avatar
+ 1
Ananaya Jemberu I’m only storing the users email for a blog website. No one can read it, and i dont really care if someone puts random data. No one can read users emails so it should be ok right? If you think there is some threat please tell me so I can find an alternative
5th Oct 2020, 2:43 PM
Coder
Coder - avatar
+ 1
What about you, do you want to read the emails ?
5th Oct 2020, 2:45 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 1
Ananaya Jemberu Yes I am able to read them
5th Oct 2020, 3:54 PM
Coder
Coder - avatar
+ 1
Ananaya Jemberu Do you think I should obfuscate my api key and db info so i