Reputation: 21091
Restrict Firestore and Realtime Database write access
I want to restrict writing permissions on both Firestore and Realtime Database so that only app's backend can modify it.
What kind of rules can I apply? It seems that Database Secrets are not safe to use now.
Upvotes: 0
Views: 163
Answers (1)
Reputation: 599001
It depends a bit how your backend process accesses the databases.
If they do so through a Firebase Admin SDK, they will be accessing the database with administrative privileges and thus bypass all security rules. That means you can just lock down writes on the database completely for all regular clients.
In the Realtime Database, that can be accomplished with these rules:
{
"rules": {
".write": false
}
}
In Cloud Firestore, you accomplish the same with:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow write: if false;
}
}
}
In both cases I've ignore read permissions to keep things simple. The above snippets are fairly directly lifted from the Firebase documentation, so I'd recommend reading more about Realtime Database and Firestore there.
Upvotes: 1
Related Questions
- Restricting Firebase read/write access to only myself
- How do I configure Firebase-Security rules to limit 'what & when' users can write to Firebase data?
- Allow only admins to write data - Firebase Realtime Database - Security Rules
- Accessing Firestore from Firebase Realtime Database Security Rules
- Only allow logged in users to read and write Firebase data
- Simple protections for write access Firebase Realtime Database
- Restricting access to Firebase Firestore and Storage
- Firebase - limit write to authorized user
- Access rights in firebase database/firestore
- Firebase read/write permission for certain users