Securing Google Firebase from DDOS / attackers and prevent surprise bills

Question

Im thinking of using firebase real time database but there are a few things im afraid of:

• High surprise bills
• System failure

There are a few things im thinking of doing:

• Layer 1: CloudFare CDN in front of Firebase.
• Layer 2: Security rules with time based rate limiting on write / read operations.
• Layer 3: Only well authentificated users can call firebase endpoints.
• Emergency Layer: I track the amount of read and write operations. If these are over a certain threshhold, I disabled billing on my project.

Is this secure enough?

How can I secure my firebase from read / write exploits or ddos?

Answer 1

You general approach around the three steps is good practice.

Please consider Firebase is cloud based so its exposure is front and center to the world, here are some specific recommendations to firebase and how to introduce watch dog practises:

Avoid insecure rules

// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this ruleset in production; it allows
// anyone to overwrite your entire database.

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }


}

Look out for rule cascading , make sure you traverse the entire tree to check rules

{
    "rules": {
        "users": {
            "$uid": {
                ".read": "auth.uid == $uid || root.child('users').child(auth.uid).child('isAdmin').val() == true",
                ".write": "root.child('users').child(auth.uid).child('isAdmin').val() == true",
                ".indexOn": ["email"]
            }
        }
    }
}

---

Like the code below, since authorization on create allows malicious users created (perhaps by bots)

IMHO - I would make this manual or atleast have it checked against the users registration IP against something like honeypot

const getCustomClaimsByEmail = require('../utilities/get-custom-claims-by-email');
const setCustomClaims = require('../utilities/set-custom-claims');

module.exports = ({ admin, environment }) => user => {
  const db = admin.firestore();
  const usersCollection = db.collection(environment.schema.users);
  const customClaimsRef = admin.database().ref(environment.schema.customClaims);
  const auth = admin.auth();
  const email = extractEmailFromUser(user);

  return Promise.resolve()
    .then(getCustomClaimsByEmail(customClaimsRef, email))
    .then(setCustomClaims(auth, user.uid))
    .then(claims => {
      const update = mapUserUpdate(claims, user);
      return usersCollection.doc(user.uid).set(update, { merge: true });
    });
};

function mapUserUpdate(claims, user) {
  const email = extractEmailFromUser(user);

  return {
    claims,
    email,
    emailVerified: user.emailVerified,
    lastSignInTime: user.metadata.lastSignInTime,
    creationTime: user.metadata.creationTime,
    providerData: user.providerData,
  };
}

function extractEmailFromUser(user) {
  return user.email || user.providerData.find(({ email }) => email).email;
}

---

Now to your DDOS / traffic,

you can avoid abusive traffic by following this checklist, and during launch follow these checklist.

Answer 2

Write exploits are typically fairly simple to secure against for most use cases; Firebase security rules should cover you if you only allow authenticated (or admin) writes.

Reads are much more challenging if you have any public data that users can access without authenticating.

Budgets in Google Cloud can connect to a pub/sub topic, so one option is to create a cloud function that checks cost against the budget and shuts down the billing account if it exceeds a certain threshold.

Google has provided a sample for this here.