I want to piggy-back on a question asked years ago as I have the same rules Firebase email saying my realtime database has insecure rules
Here is my Rules:
So the question is: What else can I do to totally secure my Firebase Database? Thanks!
You have to know that as soon as (1) someone has the Web API Key of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).
Getting the Web API Key is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).
Consequently, rules only based on "auth != null" allow anyone that has signed-up through the REST API accessing your Realtime Database. No need to use any GUI: after having been identified through the Auth REST API, the user can use the RTDB REST API.
One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.
