Firestore security rules without auth

Question

I stored my portfolio app data using Firestore and firebase storage. There are no user inputs or registration in my app, it's a simple portfolio to show my works. I want any user to be able to read the data coming from my firestore and firebase storage.

My current rules:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if true;
    }
  }
}

The problem i have with this rules is that attackers can fluid my app with requests. I even got warning email says "Because your project does not have strong security rules, anyone can access your entire database. Attackers can read all of your data, and they can drive up your bill."

I do not have any sensitive data stored but i want to prevent additional charges from google. How can i set my Firestore security rules to enable any users to read without auth but prevent attacks?

DIGI Byte DIGI Byte · Accepted Answer · 2021-04-30T04:54:45

Firebase Security Rules don't like when a database point is left open, while this is normally done with Security Rules and Auth, You can define the readability of the document based on a value from inside the document.

In this example, the document has a bool value for Public

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow the user to read data if the document has the 'visibility'
    // field set to 'public'
    match /{document=**} {
      allow read: if resource.data.public == true;
    }
  }
}

Firestore security rules without auth

1 Answers