Reputation: 5039
Configuring firebase project domain restrictions
My situation is as follows:
I have one database on Firebase. I have one app, which is on a domain. So right now I have configured the Google console like so:
But, I also have a second app which I want only to use locally, as localhost:3000 or something similar using npm start. Since the app is built using React, the whole code and API keys are visible. So I need the domain restriction. Anyone who has the key and credentials can be built their own react project and just mess things up if domain like localhost:3000 is trusted.
Changing the domain name is also not enough since attackers could just iterate through the ports and test them.
Is there any way for me to use the app locally without creating a security flaw?
Upvotes: 1
Views: 203
Answers (1)
Reputation: 5272
Unfortunately, there's no way for your backend to identify one localhost as OK and not another.
On the other hand, if you properly configure your DB rules, attackers won't be able to add malicious-data to your production tables. And if you're looking at restricting the domain via the Google API screen, I assume you already know all about the Firebase RTD rules.
Upvotes: 2
Related Questions
- Allow only request from a specific domain to read and write data firebase
- Cant read all data with security rules
- Firebase security rules for nodejs app
- Restrict Firebase authentication to a certain domain
- Firebase web - how do i restrict data to be written by my domain only?
- Permission Error on using firebase
- Firebase rules for a single authenticated user
- Firebase DB data security
- firebase - security rules REST
- How to set up IP/domain-wise security rules in Firebase?