How do I prevent other users from accessing my Realtime Database via my Firebase URL? What must I do to secure it to only my domain?
How do I prevent un-authorized access to my Firebase Realtime Database?
Asked Answered
First of all, understand that you cannot secure any URL on the internet according to the origin domain--malicious users can simply lie. Securing the origin domains is only useful in preventing cross-site spoofing attacks (where a malicious source pretends to be your site and dupes your users into logging in on their behalf).
The good news is that users are already prevented from authenticating from unauthorized domains from the start. You can set your authorized domains in Forge:
- type your Firebase url into a browser (e.g. https://INSTANCE.firebaseio.com/)
- log in
- click on the Auth tab
- add your domain to the list of Authorized Requests Origins
- select a "provider" you want to use and configure accordingly
Now to secure your data, you will go to the security tab and add security rules. A good starting point is as follows:
{
"rules": {
// only authenticated users can read or write to my Firebase
".read": "auth !== null",
".write": "auth !== null"
}
}
Security rules are a big topic. You will want to get up to speed by reading the overview and watching this video
I'd like to develop an app that users can use it without login. But I worried about if someone browse the source of my site, and get my firebase url that is written public, then use it for his own read and write processes. I have added a www.google.com as an authorized url, but I can write to my firebase from a different host's ip which has my app files. –
Grochow
As stated, you cannot prevent anybody from writing to your Firebase (or anything else on the web) without authentication of some variant. –
Diandrous
I see that's like a rdbms database authentication. thank you. –
Grochow
@kato, suppose that someone take the firebase url and develop off it on a localhost, authenticate themselves, then they would have access to all data? –
Houppelande
If they are in fact the same person (i.e. they have the username and password) then what difference does it make where they connect from? Use validation rules and security to prevent unauthorized writes and don't concern yourself with artificial/ineffective constraints like origin. –
Diandrous
Can't the browser or agent fake the Request Origin? –
Stenotype
Yes. I'm pretty sure that's exactly what I said? Whitelisting is to prevent cross-site spoofs, not to prevent request origins. –
Diandrous
So how do I protect non user-based data, that can be manipulate by the users (such as a public zone), without the risk of losing it all? –
Tetzel
No idea what that means. If it's public data it's by definition unprotected. If you want to allow append-only (i.e. no deletions) security rules can enforce that. –
Diandrous
HOW DOES FIREBASE KNOW THAT MY USER IS AUTHENTICATED!? My users are authenticated; am i supposed to pass the UID with RTDB requests? –
Lebrun
@Diandrous It'd probably be good to mention Firebase App Check in this answer, as that nowadays allows a reasonable measure of locking down access to requests coming from a specific domain/app: firebase.google.com/docs/app-check –
Cyclopedia
Setup security Rules, source to learn : https://firebase.google.com/docs/rules
Use Emulators (It will make keys not easy to visible by beginner programmers) , source : https://firebase.google.com/docs/rules/emulator-setup
Cloud Functions (It will hide the names of Collections and Docs) , https://firebase.google.com/docs/functions
Limit the API keys to specific website/s(It will make peoples unable to access your website/app from outside)
if someone knows more methods, please tell, no one can be perfect.
© 2022 - 2025 — McMap. All rights reserved.