I've stopped to receive emails from Firebase telling me that my realtime database has insecure rules. Here is the beginning of the rules I have set:
{
"rules": {
"aaa":{
".read": "auth != null",
".write": "auth != null",
},
"bbb":{
".read": "auth != null",
".write": "auth != null",
},
//..... rest of the rules.
}
}
Here "aaa" and "bbb" are the nodes I use in my Firebase realtime databse. So you should mention all of yours.
Is this solution suitable?
CodePudding user response:
Your security rules should only allow what your application code does, and nothing more.
So if your code writes directly to aaa
and/or bbb
and writes whatever data it wants there, then your rules match that.
But typically your code will write data of a specific structure, in which case you should validate that structure with validation rules.
Also: does your code really need to delete or replace the entire aaa
and/or bbb
node? Or does it only need to append new child nodes to it? Because right now, your rules allow any user to take the configuration from your application and then do firebase.database().ref("aaa").remove()
and wipe whatever is under it. Again: if that matches with what your application does, then the rules match that. But... it seem unlikely.
CodePudding user response:
Always try to include user uid for more security.
"aaa":{ "$uid": { ".read": "auth != null && auth.uid === $uid",".write": "auth != null && auth.uid === $uid" } }