0

As anyone can access and read my JavaScript file using view-source: in browser they can also see my firebase config:

var firebaseConfig = {
    apiKey: "<apikey>",
    authDomain: "<authDomain>",
    databaseURL: "https://<databaseurl>",
    projectId: "<projectId>",
    storageBucket: "<projectId>.appspot.com",
    messagingSenderId: "<messagingSenderId>",
    appId: "<appId>"
};

// Initialize Firebase
firebase.initializeApp(firebaseConfig);

If anyone tries to access my database from the database URL from config then its permission will deny from firebase but if anybody tries to access my database JSON file from this link: https://PROJECTID.firebaseio.com/.json then he/she can easily read my full JSON mean what I have stored in the database they can easily access. Is there is any way to deny permission to see my database JSON file from https://<PROJECTID>.firebaseio.com/.json?

Yes, I know it will not cause problems if I will apply firebase security rules but I am creating a messaging website and I want to keep my user data private. And yes if the user will create a password for him/her they can keep their data private but if somebody is expert in coding or can read the JSON he/she can easily read the data of my whole firebase real-time database.

If you doesn't understand what I want to say than you can see a demo I've created to understand it better here: https://game-check-2-default-rtdb.firebaseio.com/.json

If anybody knows it please help me.

Edited: My firebase rules :-

{
  /* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
  "rules": {
    ".read": true,
    ".write": "data.exists() && newData.exists()"
  }
}
samthecodingman
  • 23,122
  • 4
  • 30
  • 54
Om Tejaswi
  • 1
  • 2
  • Have you checked [Firebase Security Rules](https://firebase.google.com/docs/database/security) ? – Dharmaraj Jul 18 '21 at 15:43
  • It is safe to expose these Firebase config credentials on the frontend. Please see my separate SO answer here: https://stackoverflow.com/a/64678586/13714870. The security rules you define server-side should protect your data. – Marc Jul 18 '21 at 15:48
  • @Dharmaraj Yes, I read it. But problem is that I am creating a messaging website and I want to keep user data private but anyone can use my databaseURL+/.json to access the data in JSON format. – Om Tejaswi Jul 19 '21 at 03:01
  • @OmTejaswi As Dharmaraj linked, you need to apply security rules to your database to prevent someone just pulling all the data. The Firebase configuration data is [public knowledge](https://stackoverflow.com/q/37482366/3068190) and can be accessed at `firebase.app().options` even if you did manage to hide/encrypt it. The Firebase documentation has [many rules examples](https://firebase.google.com/docs/database/security/rules-conditions) related to what you are trying to do and there are [approaches that don't use authentication](https://stackoverflow.com/a/68411885/3068190) to restrict access. – samthecodingman Jul 19 '21 at 09:21
  • If it wasn't clear already, if you set your security rules up properly, visiting `https://.firebaseio.com/.json` will throw an error rather than just show all the data in your database. – samthecodingman Jul 19 '21 at 09:24
  • @samthecodingman you can check it from here, I've created a demo to show you: https://game-check-2-default-rtdb.firebaseio.com/.json – Om Tejaswi Jul 20 '21 at 08:07
  • @OmTejaswi Please edit your current security rules into your question. – samthecodingman Jul 20 '21 at 08:32
  • @OmTejaswi Using `".read": true` gives complete read access to your entire database. If you change it to `".read": false`, it will block access as you desire. However, as you app depends on having **some** public data, you will need to learn and configure your security rules to allow access to that data, and that data only. The steps for which are covered in the links provided above by Dharmaraj, Marc and I. – samthecodingman Jul 21 '21 at 13:29

0 Answers0