Login/Register
Locking down Firebase DB access to specific apps
Asked Answered
Solved firebasefirebase-realtime-databasefirebase-authenticationfirebase-security
M

3

14

I think from searching the web this is not technically possible but I want to ask again in case I'm missing something.

I have an app that uses Firebase. Reading and writing is locked down through security rules for authorised users only but there's certain information I want unauthorised users to be able to access (so I don't have to put a login wall in front of them, influencing churn).

What I want to know is, is there any way of locking down this read access that only my app can call the DB? I know I can lock down domains to prevent someone writing localhost scrapers but what's to stop someone cloning and re-skinning an app and pointing it to the same back end? Is it possible to achieve this using your certificates fingerprint?

Mann answered 25/8, 2018 at 14:3 Comment(0)
B
7

There is no way to limit access to your database to just your app. That just doesn't match with the cloud-based nature of the Firebase APIs. Anyone that knows the URL of your database can in in principle access it, and security rule are the way to ensure all access is authorized.

Note that security rules are not an all-or-nothing approach: you can require sign-in for some parts of your database, while leaving other parts publicly readable. But you can't make the publicly readable parts only be readable by your own app.

Some previous questions on the same topic:

Update: since May 2021 you can actually restrict access to just users of your App by implementing Firebase App Check.

Borate answered 25/8, 2018 at 14:21 Comment(1)
Thank you for your answer and especially the first link, I think it makes more sense nowMann
L
1

I have found a solution that maybe helps you or anyone that have a similar question. I answered it in this question:

Restricting Cloud Firestore to a specific domain

Lay answered 3/2, 2021 at 3:4 Comment(0)
S
0

It looks like there are two ways to do this:

The first less secure method be to use request.referrer in your security rules. Here, we limit it to a domain for write access:

   ".write": "request.referrer != null && request.referrer.startsWith('https://your-web-app-domain.com')"

Second, and much more securely, firebase has added App Check to offer and extra layer of security prior to ever seeing the security rules file.

Starla answered 12/7, 2023 at 21:9 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.