How do I prevent un-authorized access to my Firebase Realtime Database?

firebase firebase-security

First of all, understand that you cannot secure any URL on the internet according to the origin domain--malicious users can simply lie. Securing the origin domains is only useful in preventing cross-site spoofing attacks (where a malicious source pretends to be your site and dupes your users into logging in on their behalf).

The good news is that users are already prevented from authenticating from unauthorized domains from the start. You can set your authorized domains in Forge:

  • type your Firebase url into a browser (e.g. https://INSTANCE.firebaseio.com/)
  • log in
  • click on the Auth tab
  • add your domain to the list of Authorized Requests Origins
  • select a "provider" you want to use and configure accordingly

Now to secure your data, you will go to the security tab and add security rules. A good starting point is as follows:

{
   "rules": {
       // only authenticated users can read or write to my Firebase
       ".read": "auth !== null",
       ".write": "auth !== null"
   }
}

Security rules are a big topic. You will want to get up to speed by reading the overview and watching this video

Related

How to display data from Firestore in a RecyclerView with Android?
About Tentative definition
How to dynamically add JSF components
Get fragment (value after hash '#') from a URL [closed]
Setting the default JSON serializer in ASP.NET MVC
How can I access a JavaScript object which has spaces in the object's key?
Dictionary style replace multiple items
Creating an array from a text file in Bash
Boolean operators vs Bitwise operators
How do I share data between components in Angular 2?
How can I update code that uses the deprecated each() function?
Maven dependencies are failing with a 501 error