+ 2

Insecure Firebase security rules?

I got an email from Firebase saying my security rules are insecure. 🤨 My security rules say... allow read: if false, allow update: if false, allow delete: if false, allow create; The user can literally only create a document, that’s it. The email states that anyone can write to my db but that’s not true. Write means update, delete, and create... Do my rules look insecure to anyone?

3rd Oct 2020, 6:04 PM
Coder
Coder - avatar
20 Réponses
+ 2
Yes they can if they have your DB link since you allow create am I wrong .so the only way you could secure it with uid I.e add login and while the user create account it create uid so any one which have account it can create in DB
3rd Oct 2020, 7:08 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 2
Ananaya Jemberu What if I only allow requests from my website? Would I still be threatened?
3rd Oct 2020, 10:03 PM
Coder
Coder - avatar
+ 2
Firebase may send you this message because anyone can't read but can create unnecessary data who have DB link , but if you want it's okay To clarify your question What kind of data you are storing in it user profile or just public data or suggestion for you or private data, what kind of website you want to make with it , social media, .to suggest you weather it's secure or not please answer the question
5th Oct 2020, 4:49 AM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 2
So keep it as it is safe as I see in your answer no need to hide the key (obfuscate) and to fear
5th Oct 2020, 4:00 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 2
Yeah, I have used firebase for a while don't worry, they can't read you can obfuscate, as you answer my question "it doesn't matter weather they can post" if you want this you don't have to see this post https://www.medium.com/@devesu/how-to-secure-your-firebase-project-even-when-your-api-key-is-publicity-available-a462a2a58843
5th Oct 2020, 4:45 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 1
use this code as eg match /internal/{imageId} { allow read: if request.auth != null; } for more see https://firebase.google.com/docs/storage/security/rules-conditions
3rd Oct 2020, 7:21 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 1
If you secure it with uid the request will be from your website only, any one who have your DB link can't see so it will be secure, I have use ifrebase for almost all my androidd projects it is still secure
4th Oct 2020, 4:37 AM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 1
Ananaya Jemberu If i go to google cloud, there’s a setting where you can only allow requests from your website. Ill use that
4th Oct 2020, 3:19 PM
Coder
Coder - avatar
+ 1
Ananaya Jemberu I mean they can't read my db because read is false. They can't delete or update, that's false too. They can only make a document, how is that harmful? I dont understand
4th Oct 2020, 7:53 PM
Coder
Coder - avatar
+ 1
Ananaya Jemberu I’m only storing the users email for a blog website. No one can read it, and i dont really care if someone puts random data. No one can read users emails so it should be ok right? If you think there is some threat please tell me so I can find an alternative
5th Oct 2020, 2:43 PM
Coder
Coder - avatar
+ 1
What about you, do you want to read the emails ?
5th Oct 2020, 2:45 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 1
Ananaya Jemberu Yes I am able to read them
5th Oct 2020, 3:54 PM
Coder
Coder - avatar
+ 1
Ananaya Jemberu Do you think I should obfuscate my api key and db info so its more safe?
5th Oct 2020, 3:55 PM
Coder
Coder - avatar
+ 1
I mean if you want, by entering your email and password you can only allow yourself to read emails in your website
5th Oct 2020, 4:04 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
+ 1
Ananaya Jemberu Are you sure I shouldn't obfuscate? My api key, storage bucket, db link, everything is in the firebase config. However, read update and delete are all FALSE so even with the link I dont think they can do any harm, right?
5th Oct 2020, 4:39 PM
Coder
Coder - avatar
+ 1
Ananaya Jemberu alrighty, sounds good. I guess I will use firebase, but I will obfuscate just for my satisfaction. I hope no one hacks my db thanks for your help 🤗
5th Oct 2020, 8:09 PM
Coder
Coder - avatar
+ 1
Ok good luck
5th Oct 2020, 8:10 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
0
You can't do that if you can even it is still insecure because hackers can easily put your website link and see other people's data and yours data but if you want your data to be public in your website keep it as it is I.e read : true write : false
4th Oct 2020, 4:23 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
0
I mean if you are not storing other people's data and just storing your Data which doesn't matter if any one in your website can see it Just add "read": true, " write": false or if you only want to post in your website go to firebase auth then add user, and in it add ur email and password firebase will generate uid at the right side copy it. then go to forecast database rules add "read": true, " write": "auth.uid == 'paste your uid here' "
4th Oct 2020, 4:28 PM
Ananiya Jemberu
Ananiya Jemberu - avatar
0
Does it help
4th Oct 2020, 4:45 PM
Ananiya Jemberu
Ananiya Jemberu - avatar