12

I'm looking into using Firebase for a project that's otherwise a static site with js. Is it possible to secure the connection to the database in a static site? Wouldn't all security rules, the end point url, etc all be exposed in the js code letting the user make any requests they want (good or bad).

Kombo
  • 2,371
  • 3
  • 34
  • 64

1 Answers1

17

The short answer is yes: by authenticating your users and writing security rules, you can fully restrict read / write access to your Firebase data.

In a nutshell, Firebase security is enforced by server-side rules, that you author, and govern read or write access to given paths in your Firebase data tree.

Firebase security rules are JavaScript-like expressions: easy-to-write expressions that have access to the credentials for the connection, and the view of the Firebase data tree as it exists, along with pending changes on write.

In most cases, your client-side logic, templates, assets, etc. will be static and public. What you're really looking to secure is user and application data, and this is where Firebase Authentication (whether using custom Firebase authentication tokens or Firebase Simple Login) comes in. Firebase Authentication is essentially token generation - taking confirmed, identifiable user data and passing it securely to Firebase so that it cannot be spoofed. This confirmed credential data is then made available in your security rules.

Check out https://stackoverflow.com/a/20842986/879295 for an example, and the Firebase Security Quickstart Video for a great overview / starting point.

Community
  • 1
  • 1
Rob DiMarco
  • 13,226
  • 1
  • 43
  • 55
  • 1
    The one detail is what normally happens with server side validation. There will still be circumstances in which you want to validate something outside of the client's control and persist that to a database. This is not a security issue with Firebase, it's an architectural issue. Just because you can directly write to Firebase from the client, doesn't mean you always should. You have not automagically eliminated the need for server side code in every circumstances. Writing secure apps is hard - Firebase security is one part of that, but it doesn't account for everything. Personally, I <3 it. ;) – jpoveda Nov 26 '15 at 17:58
  • I have read on multiple sites, that the jwt should only be stored on http only cookies, but firebase stores them on localStorage. Am I missing something? – Krueger Jan 10 '22 at 17:25