2

I have the following Firebase realtime database rules:

{
   "rules": {
       ".read" : "auth != null",
       ".write": false,

       "Games": {
           ".indexOn" : "WeekId"
       },
       "Version": {
           ".read" : true
       }
       ...
}

I keep getting the following email from Google:

[Firebase] Your Realtime Database 'xxx-9e542' has insecure rules`

We've detected the following issue(s) with your security rules: any logged-in user can read your entire database Without strong security rules, anyone who has the address of your database can read / write to it, leaving your data vulnerable to attackers stealing, modifying, or deleting data as well as creating costly operations.

So based on my rules above, I KNOW, that I have rules in place to allow logged in users to read the Games node and that ALL users can read the Version node even non authenticated users.

As far as I know, it needs to be this way because I require ALL logged in users to be able to access the Games node information, else how would they be able to view the list of games they can select from!?

As for the Version node, I use that in the instance I need everyone that downloaded my app to "Force Upgrade" my app cause of a change that is required. In this instance, I would need the user that have downloaded an older version of my app and that are either "logged in" or "not logged in" and force them to update the app or else they can not use it.

Can anyone let me know if I am off base with how I structured my security rules or is this "normal" and that I am receiving the email just as a FYI!?

How have others setup their rules!? or what are the "best practices" for setting up security rules!? esp. if you need logged in users to access the information of any particular node(s) 24/7!?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Learn2Code
  • 1,974
  • 5
  • 24
  • 46

1 Answers1

1

The main problem with your current rules is that anyone can sign in through the API and read your entire database, even if they know nothing about your application. They can just read the root of the database, and then start looking at your data.

The first step to improve security would be to not allow read on the top-level, but only at lower levels:

{
   "rules": {
       ".write": false,

       "Games": {
           ".read" : "auth != null",
           ".indexOn" : "WeekId"
       },
       "Version": {
           ".read" : true
       }
       ...
}

Now nobody can read from the root, and you must know that Games or Version node exists in order to read it.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • AHHHHH I see!!! Thank you for that tip!!! I was being 'lazy' and put the `".read" : "auth != null", at the root to save me from having to repeat it at every node... I guess secure and lazy are never a good combination... – Learn2Code Sep 28 '20 at 14:34