Secure firebase functions against brute force attacks

Question

I have to admit I don't know much about security and security patterns. I am developing a firebase function that accepts a license code and returns false if the license code is not valid. I am afraid that a hacker could brute force the function and find out all possible license codes. How can I make this function more secure? E.g. by implementing a quota for maximum calls per hour. The same principle is used for firebase auth see here

I checked the documentation for firebase function quotas and couldn't find any setting that allows configuring such a quota on an IP-based level.

How can I secure my function against brute force attacks?

Answer 1

You can certainly try to put a rate limit on the function, but that would affect everyone, and would shut out legitimate users. There is not actually anything you can do from an Google Cloud infrastructure perspective to increase the security of API endpoints that you expose to the public for anonymous use.

What you should do instead is make your data more secure. The best way to do this is to eliminate any sense of pattern with respect to the data your function accepts. This means that your license codes should be effectively unguessable by making them long and random enough such that it makes a brute force attack virtually impossible to guess any code. Sequential or non-random values are much easier to guess, especially if they follow an easily discernible pattern.

If you think that your project is subject to abusive behavior, that's something you should report to Google Cloud support, for them to investigate.