Reputation: 85
firebase security layer and manipulations (javascript)
I am wondering if Firebase is protected against 'scriptkiddies'. For example: if I know the Firebase instance (from what I see in tutorials online) then I can add something to the firebase storage from my console in my browser.
var fbinst = new Firebase("https://nettuts-chat-application.firebaseio.com/")
for(var i=0,l=1000;i<l;i++){fbinst.push({comment:'lol'})}
How can this be avoided? protected..
Upvotes: 0
Views: 58
Answers (1)
Reputation: 32604
Firebase Security Rules are server-side expressions that control access to your Firebase database.
Security Rules come with a set of server variables that allow you to check against server values. The auth variable contains the currently authenticated user, or null if there is none.
In the following sample, only authenticated users can read and write their own data.
{
"rules": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
}
Security rules allow you to read current data with the data variable, and the attempted data with newData.
"posts": {
"$post_id": {
".read": "data.child('uid').val() == auth.uid",
".write": "newData.child('uid').val() == auth.uid",
}
}
You can also validate data structure with the .validate rule.
"posts": {
"$post_id": {
".read": "data.child('uid').val() == auth.uid",
".write": "newData.child('uid').val() == auth.uid",
".validate": "newData.hasChildren(['uid'])"
}
}
Upvotes: 1
Related Questions
- Firebase database security for new users
- Firebase public user access limiting and protecting against malicious attacks
- Firebase Anonymous Data Security
- Firebase DB data security
- firebase - security rules REST
- Creating/Adding user on Firebase
- How to implement firebase server side security
- Firebase security per user
- Basic understanding of Firebase security
- Firebase JS Secure Authentication