Reputation: 7344
Basic understanding of Firebase security
Fundamentally, if my client side javascript is going to be modifying my Firebase data remotely, couldn't anyone come along and examine that code and start modifying the same Firebase data at will?
I know they can't modify areas of the data that are off limits to various users or situations, but if for example a user has the ability to create blog posts, couldn't they log in, examine/manipulate the local copy of my javascript, and send Firebase requests to create millions of blog posts?
Basically, any secret that i make known to my client side javascript in order to empower it to change Firebase data is also known to any client side user, right?
Upvotes: 0
Views: 81
Answers (1)
Reputation: 598740
Yes. Anything you put into your source code, is likely to be discovered by a user. So it is a bad idea to put secrets into your application code.
Instead you normally let your users authenticate against a trusted service (such as one of the supported providers for Firebase's login) and build an authorization scheme around that using Firebase's security rules.
Upvotes: 1
Related Questions
- Understanding Basic Firebase Security Rules on Firebase
- Firebase database security for new users
- Firebase Anonymous Data Security
- Firebase DB data security
- Firebase permissions
- firebase - security rules REST
- Firebase Security Rules?
- firebase security layer and manipulations (javascript)
- Creating/Adding user on Firebase
- Firebase security per user