Reputation: 28
Right now I'm writing the rules for a Firestore database allowing read only to anonymous and registered users because I don't know if it is a good idea to let the database open to everyone to read by any means (like curl).
Do you think it's ok to let it open to read or should I continue to use anonymous and registered rules?
BTW, this is only read operations, write operations are secured and even some collections are off limits even to every registered user.
Upvotes: 0
Views: 427
Reputation: 25134
Your instinct is correct: it's almost never a good idea to leave your database completely open even for read-only operations. Cloud Firestore charges per document read, so if your database is open to the whole internet someone could (on purpose or not) run up a bill by just attempting to read your entire database over and over.
Upvotes: 1