0

Right now I'm writing the rules for a Firestore database allowing read only to anonymous and registered users because I don't know if it is a good idea to let the database open to everyone to read by any means (like curl).

Do you think it's ok to let it open to read or should I continue to use anonymous and registered rules?

BTW, this is only read operations, write operations are secured and even some collections are off limits even to every registered user.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
miniskulljob
  • 28
  • 4

1 Answers1

1

Your instinct is correct: it's almost never a good idea to leave your database completely open even for read-only operations. Cloud Firestore charges per document read, so if your database is open to the whole internet someone could (on purpose or not) run up a bill by just attempting to read your entire database over and over.

Sam Stern
  • 24,624
  • 13
  • 93
  • 124