Allow only request from a specific domain to read and write data firebase

Question

I recently started using firebase to store data and have had my rules set to public temporarily. I don't want to add user authentication, but instead was wondering if I could set the firebase rules so only my domain can read and write the data.

this is same as Knox response, it works https://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modification — codmitu, May 29 '21 at 10:39

Doug Stevenson · Accepted Answer · 2022-11-02T03:10:10.893

7

The only way to restrict access to Realtime Database for certain users is through Firebase Authentication. There's no way to limit access to certain regions, IPs, or other ways of categorizing then end user.

EDIT: Firebase App Check provides some amount of protection, but it is not guaranteed.

edited Nov 02 '22 at 03:10

answered Aug 23 '17 at 22:35

Doug Stevenson

297,357
32
422
441

5

This is very unfortunate. For a plain data read-only website, it would make total sense just to have read access from that domain. – telliks Oct 26 '17 at 18:20
Is this still true 2 1/2 years later? – SpaceNinja Feb 28 '20 at 21:48
2

@SpaceNinja It's not likely to change. – Doug Stevenson Feb 28 '20 at 21:50
1

It'd probably be good to mention Firebase App Check in this answer, as that nowadays allows a reasonable measure of locking down access to requests coming from a specific domain/app: https://firebase.google.com/docs/app-check – Frank van Puffelen Oct 31 '22 at 14:24

Knox · Answer 2 · 2020-08-20T19:26:23.173

3

I believe you can do it with the service account linked with your Firebase account. You can manually create a whitelist of URL's allowed to use your API key. The trick is that it is found in the Google Cloud Platform, not the Firebase Console. However, there is a nifty link in Firebase Console that will take you to where you need to be.

(Also, the direct link of where to go is https://console.cloud.google.com/apis/credentials but make sure you are logged into an "Owner" or "Editor" account listed on the "Users and permissions" tab found at step two below.)

Here are the steps:

Log into your Firebase Console and go to the gear icon next to "project overview" in the top left of the Firebase console.
Then navigate to the "Users and permissions" tab
Then click the small blue link underneath the main table on the screen that says "Advanced permission settings".
It should take you to Google Cloud Console. (Make sure you are logged into an "Owner" or "Editor" account listed on the "Users and permissions" tab you were just looking at from the Firebase Console.) Click the menu in the top left of the Google Cloud Console, and go to "APIs & Services"
Then the click sub-menu item "credentials"
Click the desired API key you want to restrict.
And set the websites you want to allow access by clicking the radio button "HTTP Referers" under "Application Restrictions", adding an item, entering the web address, and hitting done to save the changes.

Hopefully, that gets you what you need! :)

edited Aug 20 '20 at 19:26

answered Aug 20 '20 at 18:36

Knox

413
4
9

The challenge is, API requests are made during development, and adding `localhost` to the list is pointless IMO - since (assuming it's even a thing) would effectively give everyone access... – kawerewagaba Dec 05 '20 at 15:51
@kawerewagaba You can create a `localhost` alias by modifying you `/etc/hosts` file and whitelist that value instead. Since is only used by locally, will be unknown to the world. – iusting Jan 01 '22 at 11:41
@iusting Can you explain what you mean with the /etc/hosts solution? I'm not sure I understand. What entry would I add to my /etc/hosts and what would I then whitelist in the GC console? – Gottfried Feb 26 '22 at 21:04
1

@Gottfried /etc/hosts file is used by your machine to resolve local host and other hosts (a host name into an address). By default it has at least one entry: `127.0.0.1 localhost`. But you may modify it to hold other hosts names, by adding new entries on a new line (e.g: `127.0.0.1 myapp-local`) This will mean that accessing `myapp-local:` is the same as `localhost:`. And since this file is only on your local machine, the alias you choose is private. Then you may whitelist the `myapp-local` (or whatever alias you chose) instead of `localhost` domain in the GC console. – iusting Mar 02 '22 at 22:00
1

this doesn't work! I can still access firebase from any URL – savram Jun 03 '22 at 02:20
@Frank van Puffelen Hi Puff. There are unclear things. I really appreciate if you can clarify. In short, I built a static single page web app without an api. My only backend is firebase real-time db. I would like to allow every user that enters my website can read/write my db without any authentication. So, my firebase configs on the client side. People can read them. When I look at this answer, it is obviously what I need. But it doesn't work. Is there any way to make it work? I want to restrict my db with my domain, not my users. Isn't it possible? – berkan Nov 23 '22 at 22:23

Allow only request from a specific domain to read and write data firebase

2 Answers2

Linked

Related