How insecure is firebase rule: read and write = true

Question

Using firebase rules as:

{
  "rules": {
    ".read": true,
      ".write": true
  }
}

means that everyone inside my application can read/write the firebase resource or means everyone including any request not necessary comming from my application can read/write?

Answer 1

With these rules, I can:

• Get your entire database with a single URL, which you actually ship in application source code. I don't even need to use your app for this, I can just do https://<yourdatabaseURL>/.json and get it all.
• Wipe your entire database with a single line of code, from a tool as simple as the JavaScript console of my browser.

So yeah, it's pretty much as insecure as all the reports make it out to be.

Since you have to include the URL in your app in order to be able to access database, leaving the rules like this is just asking for problems.

---

You should secure your database by using Firebase App Check to make it harder to access the database outside of your application, and then implement proper security rules to have fine-grained access control.

Ideally you should:

1. Start with the exact opposite rules, that deny all access, then
2. Implement the first small use-case of your application in code.
3. Watch it get rejected by the security rules.
4. Change your rules to allow only that one use-case, and nothing else.
5. Go on to the next use-case.

This is known as the principle of least privilege and is key to protecting the data.

---

I recommend also checking out these other questions on the same (really broad) topic:

• Is it safe to expose Firebase apiKey to the public?
• Does Firebase App Check discard the need for implementing Security Rules?
• Firebase Permission Denied
• Firebase email saying my realtime database has insecure rules