Reputation: 169
How is not using Firebase Security Rules a security risk?
I have a nextjs application and I'm using firebase databse. I have not added security rules as I'm not using authentication.
I'm hosting on vercel and my firebase config is stored in environment variables. I heard that not using firease is a security risk but I don't understand how. Even though the client makes the request, the server API is the one making firebase calls.
How is it that the user can hack my firebase requests and modify my database if I don't use security rules?
Upvotes: 1
Views: 215
Answers (1)
Reputation: 317372
If your client app is not using the provided web or mobile APIs to directly access the database, then security rules are not ever being used. They only apply to web and mobile access. Backend access bypasses rules completely.
If you have no direct client access, then security rules are meaningless. Hackers will have to find some other way to gain unauthorized access to your database other than exploiting a lack of rules.
Upvotes: 1
Related Questions
- Can someone please explain to me why we need Firebase security rules when I can literally write rules in my client code?
- Importance of security rules in firebase
- Firebase Firestore security rules seem not applied at all
- Why should we use Firebase security rules?
- Security rules dont cascade like the docs said
- When are Firebase Security Rules needed for database?
- What happens if you leave security rules undefined in Firebase?
- Security rules in Firebase
- firebase security rules not working as expected
- Firebase Security Rules