5

I have a little web app that constitues of only JavaScript/JQuery files.

It's kind of anonymous link based messaging app, so there's no authentication stuff.

I'm worried that someone can easily read/write to my database.

Is there any setting/security rule with which i can allow read/write requests from my domain only? (same origin policy)

ReyAnthonyRenacia
  • 17,219
  • 5
  • 37
  • 56
cht
  • 319
  • 3
  • 13
  • Possible duplicate of [Allow only request from a specific domain to read and write data firebase](https://stackoverflow.com/questions/45850188/allow-only-request-from-a-specific-domain-to-read-and-write-data-firebase) – Herohtar May 01 '19 at 04:13

1 Answers1

4

I would recommend just using the basic make sure they are logged in rule

{
   "rules": {
       // only authenticated users can read or write to my Firebase
       ".read": "auth !== null",
       ".write": "auth !== null"
   }
}

But wait, I want to stop access from other domains!

Well you can set the authorized domains from the authorization panel in the firebase console. This would only allow users to log in from your url and only your url and only logged in users can read/write.

Niles Tanner
  • 3,911
  • 2
  • 17
  • 29
  • 2
    It might be worth mentioning [anonymous auth](https://firebase.google.com/docs/auth/web/anonymous-auth), which is a way to ensure a user is signed in without requiring them to enter credentials. – Frank van Puffelen Jan 01 '18 at 16:20