Firebase Security Awareness!

If like many developers, you use firebase for an online database, or for storage, and you are running your own instance of firebase, not the MIT provided instance, then you should be aware of the need to secure your data when in production.

For development you can set read and write as true which makes life a little easier, but when you come to production you MUST tighten up your rules, and have some form of security in place, through the authenticated user system and firebase rules.

You must also NEVER release your [PROJECT_ID] if you are running without any security rules. An unscrupulous user, if they have your [PROJECT_ID], can very simply, from a command line system, wipe all your data using the Firebase REST API, and you would never know who did it.

[PROJECT_ID] ? You find this in your firebase url:

https://[PROJECT_ID]/firebaseio.com/

Similarly, you should ensure that authenticated users can only write or remove data that they themselves have created (whilst being able to read whatever you offer for them).

https://firebase.google.com/docs/database/security/securing-data

https://firebase.google.com/docs/database/security/user-security

3 Likes