I have a nextjs application and I'm using firebase databse. I have not added security rules as I'm not using authentication.
I'm hosting on vercel and my firebase config is stored in environment variables. I heard that not using firease is a security risk but I don't understand how. Even though the client makes the request, the server API is the one making firebase calls.
How is it that the user can hack my firebase requests and modify my database if I don't use security rules?
CodePudding user response:
If your client app is not using the provided web or mobile APIs to directly access the database, then security rules are not ever being used. They only apply to web and mobile access. Backend access bypasses rules completely.
If you have no direct client access, then security rules are meaningless. Hackers will have to find some other way to gain unauthorized access to your database other than exploiting a lack of rules.