Firebase/Firestore security rules. Allow read only by website without exceeding quota

0
votes

I have the next scenario.

Firestore.

Security rules:

read: allow to anyone

write: disallow to anyone

I have website which reads data from the firestore and outputs to the the end user. (the real time data).

There is no user registration on that website.

Daily I receive the e-mail from firebase (Image attached).

And my quota runs out very fast.

What solutions do I have? The logic for me is fine.

The quota should not be run out, we don't have many users on the website.

For example, If I setup authentication for a single user, and I will auth that user via website (frontend) - the credentials still can be viewed in the source code. So I think that this solution will not make sense.

enter image description here

1
firebasegoogle-cloud-firestorefirebase-security
Do you mean 50k reads free quota? If it gets exceeded and it shouldn't then I guess there is something wrong with the logic during requests, somehow they do excessive document reads.Emil Gi

1 Answers

0
votes

As the email says, "anyone can access your entire database". This is a security problem. Your rules probably allow access to everything through some rule that matches /{document=**}. You should remove this rule and replace it with something more specific. For example, you should write rules to allow only access to the collections that should be public. Read the documentation for security rules for more information.

Your quota is a different issue. If you want to support larger quantities of access, you should upgrade to a payment plan and actually pay for that access.