Okay, I was using Flutter and Firebase to upload data into Cloud Storage. I gained the downloadURL which can be accessible on web if people know the URL. I had enabled Public Access Prevention in Google Cloud Storage Console based on this

Updated v1:

I think I haven't activated Firebase App Check. Does this feature have ability to prevent it from being accessed publicly or maybe there is other things that I have to do to be able to prevent it being accessed publicly, beside all ways I described above???

CodePudding user response：

Security rules only check if a user can get the download URL and do not restrict anyone from using it. You can use the getData() method instead. It doesn't return any URL and downloads the files directly and is controlled by security rules. So a user must be authenticated to fetch them.

CodePudding user response：

As mentioned in the Answer :

If you're using the FlutterFire Storage library in your app, you can call getData on a reference to the file to get its data. So with that you just need to know the path to the data, and you won't need the download URL in your application. Once you have the data locally, you can create an image out of it with: Converting a byte array to image in Flutter?

Unlike download URLs, the call to getData() is checked by security rules, so you'll have to ensure that the user is permitted to access the file.

You can also refer to this Answer :

For web apps: in the JavaScript/Web SDK using a download URL is the only way to get at the data, while for the native mobile SDKs we also have getData() and getFile() methods, which are enforced through security rules.

Until that time, if signed URLs fit your needs better, you can use those. Both signed URLs and download URLs are just URLs that provide read-only access to the data. Signed URLs just expire, while download URLs don't.

For more information, you can refer to this Github issue where a similar issue has been discussed.