Reputation: 353
Firestore Hacker Case Study
the case study I would like to offer you is the following.
I have an application that uses the payment plan, a hacker gets the source code and makes a lot of query, so I will pay a lot of money for nothing.
Is there a firebase side way to prevent / limit this?
Thank you.
Upvotes: 0
Views: 141
Answers (1)
Reputation: 317497
If your security rules allow direct querying from web and mobile clients, then there is nothing that can be done to limit those queries. The person who is allowed to query will be able to do so without limits. All you can really do is make it more difficult, but it will not be impossible for the hacker to incur costs. This is the general rule for all cloud-based services open to the public.
If you want to know if billing goes outside your expectations, you can set up budget alerts to let you know when that happens.
If you must place limits on queries, you will need to adjust your security rules to disallow all queries from web and mobile clients, and instead force all queries through a backend that you control. Your backend will need to impose the limits you want.
If you suspect abusive behavior on your project, you should contact Firebase support directly to report it.
Upvotes: 1
Related Questions
- Firebase authorization and security model
- Firebase Storage Security?
- Protect Firestore database from attack
- How is FirebaseDatabase is familiar with Firestore
- Realtime Database security [Android]
- Firebase Database Security
- Firebase database authentication
- Firebase Anonymous user
- How well protected is Firebase?
- Couple of Questions about Firebase security