I have a very simple Firebase app that is being read and written to via JavaScript all on the client-side. There are no user accounts or server-side applications on my end.
Right now, anyone looking at my JavaScript can copy my Firebase URL and have full read/write access permissions.
Is there any easy way for me to secure this somehow considering I'm doing everything on the client side?
I'm having trouble understanding their documentation and how I can solve this use case.
I have a very simple Firebase app that is being read and written to via JavaScript all on the client-side. There are no user accounts or server-side applications on my end.
Right now, anyone looking at my JavaScript can copy my Firebase URL and have full read/write access permissions.
Is there any easy way for me to secure this somehow considering I'm doing everything on the client side?
I'm having trouble understanding their documentation and how I can solve this use case.
Share Improve this question asked Sep 4, 2015 at 16:58 RalphRalph 5171 gold badge6 silver badges16 bronze badges 1- Security rules! firebase./docs/security – Kato Commented Sep 4, 2015 at 18:58
1 Answer
Reset to default 9Data access is managed through Firebase's security rules language, that you can find in the Security & Rules tab of your Firebase dashboard.
When you create a new Firebase backend for an app, it defaults to allowing full read/write to everyone.
{
"rules": {
".read": true,
".write": true
}
}
The simplest possible change is to allow everyone to read, but no-one to write:
{
"rules": {
".read": true,
".write": false
}
}
This way you can only make changes to the data when you're an administrator, i.e. when you're using the Firebase dashboard.
The Firebase documentation has an entire section dedicated to securing your data.