Reputation: 1113
Firebase public user access limiting and protecting against malicious attacks
I want to create a single page application where public users can upload photos and anyone who visits the website can like/dislike the photos. I'm using Firebase database and storage.
My question is how can I avoid any malicious activities such as adding images through a script and liking them? Can I throttle access or use a CSRF token? Or is the only way to avoid such an attack is to authenticate the user?
Upvotes: 1
Views: 82
Answers (2)
Reputation: 1995
You could hash the ip of the client into a lookup table in Firebase itself along with a timestamp, and use a rule or logic in cloud fn to make sure you're not getting hammered from the same place. First choice would not add any cost, but is more limited; second choice would mean that you run a function for each insert but can run more elaborate defences.
Maybe you can do something more useful using Firestore? For all the thing that it's missing, the rule system is more robust.
However, I would suggest that if you have no current or pressing problem with spamming, don't try to solve this first: don't think about painting the shed before building the shed.
Upvotes: 2
Reputation: 114347
If you want to restrict uploads to be in the user's key, you have to auth the user. Set up write access to be that user and admin.
Upvotes: 1
Related Questions
- Firebase - preventing malicious user from pulling entire database
- Firebase database security for new users
- Firebase Anonymous Data Security
- Firebase DB data security
- firebase security layer and manipulations (javascript)
- Creating/Adding user on Firebase
- How can I secure Firebase with an all client-side implementation?
- Firebase security per user
- Basic understanding of Firebase security
- Firebase JS Secure Authentication