CODEWITHSUNDEEP
firebasefirebase-security
AngularM
AngularM

Reputation: 16628

In Firebase security rules how can you stop hackers running a script for signup to your website? bare in mind I need them to be able to signup

In Firebase security rules how can you stop hackers running a script for signup to your website? bare in mind I need them to be able to signup externally on my homepage so I cannot say they need to be logged in.

I know the basic settings from reading Firebase security documentation but I'm worried its not secure enough, especially if someone new my firebase app url to write or read to the database.

In addition it would be good to know the basics I should have so I can check if I do have those.

Currently I have these settings:

{
  "rules": {
    "users": {
        ".read": "auth != null",
        ".write": true,
        ".indexOn": ["uid", "region"]    
    }
  }
}

Users can write as I need them to sign up but cannot read unless then are logged in. Also have some indexes for performance reasons.

This is where my knowledge stops.

Thanks in advance!

Upvotes: 3

Views: 883

Answers (1)

Ian Barber
Ian Barber

Reputation: 19960

You want to allow users to write, but only to their own user entry. That's actually easy to do with rules: 

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "auth != null && auth.uid == $uid",
        ". write": "auth != null && auth.uid == $uid"
      }
    }
  }
}

This says /user/{$uid} can only be read or written by a user who is signed in, and who's user ID matches the {$uid} part of the path. Take a look at the rules quickstart for more.

Upvotes: 4

Related Questions