CODEWITHSUNDEEP
javascriptexpressfirebasefirebase-realtime-databasefirebase-security
Tulun
Tulun

Reputation: 469

Correct way to set up security for Firebase DB

Okay, I have the following use case for Firebase:

Client wants us to store data from a form and put it into the DB. This is handled on the backend with Express.

This has to be done pretty quickly, so I just want to make sure I do it correctly.

I currently have the rules to allow read and write access to be true. Would this be okay in production, given that users can only input data through the form? And they wouldn't have access to the API key, so other users couldn't mess with the data?

Upvotes: 1

Views: 86

Answers (2)

ppajer
ppajer

Reputation: 3145

Yes, having both read and write permissions set to true is a big security hole for multiple reasons:

  • Public read access creates a privacy problem for your users if you handle any personal information.
  • It is also a breach of confidentiality with your client if you expose their business data to the public without their consent.
  • Public write access allows anyone with your database URL to delete or modify its contents at will.

Also note that if your app exposes Firebase through its front-end to the users, getting your database URL is as simple as reading through the app's HTML source.

What you can do, however

is authenticate your app through the server side and set private access to the database. Take a look at how to create a service account, also detailed here.

If you use an older version of firebase, you will have to use server tokens

Hope this helps!

Upvotes: 2

Frank van Puffelen
Frank van Puffelen

Reputation: 598603

From your description it sounds like you have:

{
  "rules": {
    ".read": true,
    ".write": true
  }
}

This means that anyone who can find the URL for your database (https://yours.firebaseio.com) can write to the database. It doesn't matter if they use your form, directly use a Firebase SDK or even if they just make a REST request using curl:

curl -X DELETE 'https://yours.firebaseio.com/.json'

This last line will delete your entire database. And all it takes is one malicious user or one typo while you're developing (this happens a lot more than you'd think).

So you really should set up your database security rules to:

  1. validate that the data is in the correct format
  2. make sure that only authenticated users can access the data that they're authorized for

Upvotes: 3

Related Questions