flutter app - firebase public access security rules
405
You are correct. That will allow anybody to read any part of your database.
Author by
Mark
Updated on December 17, 2022Comments
-
Mark 8 minutes
I'm making a simple app using firestore data but am thoroughly confused about security. Every course I took says maybe they'll "get to it later" but they never do.
So, to allow public access - ie; anyone that installs the app can read all the documents, but not write, is this all I need to do:
match /{document=**} { allow read; }
This is very confusing, I don't have users or require a login.
-
Mark almost 3 yearsIs this safe? The more I read everyone says there should be user authentication to prevent "outside" influences hacking the database. I'm confused as hell. Is it NOT good practice to have a public firestore app where users don't have to sign it? And if I use the code above will I still be able to add documents to my own app, if I don't specify Write access? Why does Google have to make everything so confusing.
-
dshukertjr almost 3 years@Mark If you want your users to be able to add data to the database, then the above security rules are not safe. If the users will only read data, and every data in the database is public, then the above security rule would not be a problem.
-
Mark over 2 yearsSo I used the rules I posted above, and I now got a message from Google saying the rules are insecure and "attackers can read all our data and drive your bill up". So what are my options to prevent this if I only have a non-user-authenticated app?
-
dshukertjr over 2 years@Mark If you have only none-authenticated users in your app, you pretty much have no options. Security rules and firebase-auth are tied together, and you would have to authenticate the users if you want to fully secure the app.