Firebase security

Asked

Viewed 807 times

3

I’m starting to study firebase, I really liked the firebase database Altime for web, but one question that does not come out of my head is, how to protect my account if the data settings are in js? like another malicious person can use js code believe, or there is no way..

<script src="https://www.gstatic.com/firebasejs/3.6.6/firebase.js"></script>
<script>
  // Initialize Firebase
  var config = {
    apiKey: "E",
    authDomain: "",
    databaseURL: "",
    storageBucket: "",
    messagingSenderId: ""
  };
  firebase.initializeApp(config);
</script>

2 answers

5


There on the island of firebase, on the flap Authentication has the option of authorized domains to use the Firebase.

By default already registered localhost and mastery of your project.

Take a look at this link:

Set up Oauth redirect domains from a web app https://support.google.com/firebase/answer/6400741

Remembering that: if you leave the localhost, there yes someone malicious can do something.

See a print of where you can set up: inserir a descrição da imagem aqui

  • It took me a while to understand your answer but that’s right

0

The domains allowed for authentication that the Thiado Bocchile spoke, has to do only with the Authentication, that is, in the case of javascript frontend development, even if they download your entire page, it will not be possible if Authenticate through this page because it is not in an allowed location(if Voce has removed the clear localhost) but this is not enough, as it is not possible to hide the access data from firebase (even if you "hide" on the server and search at runtime the access data for this search will be available in the js file) you need to protect the data and files through the Authorisations users, to allow only users Authenticated can access the data, and only the data that each user has Authorization, otherwise, the "invader" can for example access the data even without authentication, or with any user, created on the page itself (or as Anonimo), the security in firebase only works by uniting Authentication with Authorization, any carelessness, and someone can read and erase all your data with 3 lines of code.

ps. although I have said that "hiding" the data on the server does not solve, it helps a little because it is more difficult for the attacker to know what is looking for in his code, by default it is only he search for the word apiKey that he finds even in the minified code all the access information.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.