Reputation: 28
Firestore rules good practices
Right now I'm writing the rules for a Firestore database allowing read only to anonymous and registered users because I don't know if it is a good idea to let the database open to everyone to read by any means (like curl).
Do you think it's ok to let it open to read or should I continue to use anonymous and registered rules?
BTW, this is only read operations, write operations are secured and even some collections are off limits even to every registered user.
Upvotes: 0
Views: 427
Answers (1)
Reputation: 25134
Your instinct is correct: it's almost never a good idea to leave your database completely open even for read-only operations. Cloud Firestore charges per document read, so if your database is open to the whole internet someone could (on purpose or not) run up a bill by just attempting to read your entire database over and over.
Upvotes: 1
Related Questions
- Struggling Firestore rules
- Firestore Rules
- Define the right Firestore Security Rules
- Firestore rules, queries and structuring data
- Firebase Storage security rules and firestore
- Rules Cloud Firestore
- Firestore Security Rules for this scenario
- Firestore Firebase Database Rules
- Advice for Firebase Rules
- How to setup Firestore security rules correctly