Firebase security

Question

Firebase security

Asked 7 years, 9 months ago

Viewed 807 times

3

I’m starting to study firebase, I really liked the firebase database Altime for web, but one question that does not come out of my head is, how to protect my account if the data settings are in js? like another malicious person can use js code believe, or there is no way..

<script src="https://www.gstatic.com/firebasejs/3.6.6/firebase.js"></script>
<script>
  // Initialize Firebase
  var config = {
    apiKey: "E",
    authDomain: "",
    databaseURL: "",
    storageBucket: "",
    messagingSenderId: ""
  };
  firebase.initializeApp(config);
</script>

1

Security’s all over the Rules...

– Rodrigo Araujo Lima

2017/05/10 at 19:24

2 answers

5

There on the island of firebase, on the flap Authentication has the option of authorized domains to use the Firebase.

By default already registered localhost and mastery of your project.

Take a look at this link:

Set up Oauth redirect domains from a web app https://support.google.com/firebase/answer/6400741

Remembering that: if you leave the localhost, there yes someone malicious can do something.

See a print of where you can set up:

It took me a while to understand your answer but that’s right

– Lennon S. Bueno

2017/04/19 at 18:40

Browser other questions tagged javascript firebase

You are not signed in. Login or sign up in order to post.

by Rodolfo Patane • **319** points · Answer 1 · 2017-12-19T16:13:11+00:00

The domains allowed for authentication that the Thiado Bocchile spoke, has to do only with the Authentication, that is, in the case of javascript frontend development, even if they download your entire page, it will not be possible if Authenticate through this page because it is not in an allowed location(if Voce has removed the clear localhost) but this is not enough, as it is not possible to hide the access data from firebase (even if you "hide" on the server and search at runtime the access data for this search will be available in the js file) you need to protect the data and files through the Authorisations users, to allow only users Authenticated can access the data, and only the data that each user has Authorization, otherwise, the "invader" can for example access the data even without authentication, or with any user, created on the page itself (or as Anonimo), the security in firebase only works by uniting Authentication with Authorization, any carelessness, and someone can read and erase all your data with 3 lines of code.

ps. although I have said that "hiding" the data on the server does not solve, it helps a little because it is more difficult for the attacker to know what is looking for in his code, by default it is only he search for the word apiKey that he finds even in the minified code all the access information.