0

I have a simple search data app which give corresponding result of user input value.
My users can download firebase realtime database as a single file by going to https://test.firebaseio.com/data.json. How to prevent this. Any way to give search result only without reading as a full data. I mean dont allow to download full json file to user but allow to search only.

enter image description here

enter image description here

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
J C
  • 194
  • 10
  • 1
    Do you have any [Firebase security rules](https://firebase.google.com/docs/database/security)? You can set `.read` to `false` at root node so no one would be able to read it. – Dharmaraj Nov 09 '21 at 12:59
  • If I set `.read` to `false`, can my users search for it in the app? I need to allow that data in search results – J C Nov 09 '21 at 13:06
  • Can you share a screenshot of your database and security rules? You can allow read only on nodes that should be public – Dharmaraj Nov 09 '21 at 13:10
  • updated in question above. – J C Nov 09 '21 at 13:19

1 Answers1

1

Accessing the https://test.firebaseio.com/data.json URL is using the REST API of the Firebase Realtime Database. Given the nature of a cloud-hosted database, in general people will always be able to get any data through this API that they can also access in your application code.

In fact, in a well written application the security rules of your database will match closely with the client-side code of that application. For example: if you application code only reads specific keys, your security rules should only allow those keys to be read - and reject reads of other data. This is known as the principle of least privilege and is key to a security strategy on Firebase.

For more on this, I recommend reading some of my answers to these recent questions:

Or these older but highly ranked answers:

Finally, to restrict access to the database to just your application code, consider implementing Firebase App Check. While it is not foolproof, using App Check reduces the abuse on your project by making it harder for malicious users to run their own code against your project.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Suppose the application search for `key4` and display all key values as search result in that block of json(key1 to 5) that matches user input againt `key4`, is it possible to prevent download of whole database using principle of least privilege. The whole database is array of key 1 to 5 only – J C Nov 09 '21 at 16:17
  • Quite a few things are possible in security rules, typically much more than folks expect. If you want to only allow reading nodes matching a specific query, have a look at https://firebase.google.com/docs/database/security/rules-conditions#query-based_rules. I recommend starting in the documentation and the links I provided, and seeing how far you can already get with securing the database to only allow what you code needs. If you are stuck at a specific use-case, post a question with the code, JSON and rules, so we can have a look. – Frank van Puffelen Nov 09 '21 at 19:39