How do I prevent other users from accessing my Realtime Database via my Firebase URL? What must I do to secure it to only my domain?
2 Answers
First of all, understand that you cannot secure any URL on the internet according to the origin domain--malicious users can simply lie. Securing the origin domains is only useful in preventing cross-site spoofing attacks (where a malicious source pretends to be your site and dupes your users into logging in on their behalf).
The good news is that users are already prevented from authenticating from unauthorized domains from the start. You can set your authorized domains in Forge:
- type your Firebase url into a browser (e.g. https://INSTANCE.firebaseio.com/)
- log in
- click on the Auth tab
- add your domain to the list of Authorized Requests Origins
- select a "provider" you want to use and configure accordingly
Now to secure your data, you will go to the security tab and add security rules. A good starting point is as follows:
{
"rules": {
// only authenticated users can read or write to my Firebase
".read": "auth !== null",
".write": "auth !== null"
}
}
Security rules are a big topic. You will want to get up to speed by reading the overview and watching this video
Setup security Rules, source to learn : https://firebase.google.com/docs/rules
Use Emulators (It will make keys not easy to visible by beginner programmers) , source : https://firebase.google.com/docs/rules/emulator-setup
Cloud Functions (It will hide the names of Collections and Docs) , https://firebase.google.com/docs/functions
Limit the API keys to specific website/s(It will make peoples unable to access your website/app from outside)
if someone knows more methods, please tell, no one can be perfect.