I’ll be showing you how Google’s Firebase security rules in detail with my custom iOS app with slight changes. In addition to securing your Google Firebase API’s, you must also secure your Firebase Realtime Database. This is secured by applying security rules to the database in the Firebase console. I highly recommend using the provided simulator to test and verify the expected results that you expect for your web or application! I will not be responsible for your misconfiguration or lack of understanding of what this article entails.
Basic rules
100% Closed
// These rules don't allow anyone to read or write access to your database
{
"rules": {
".read": false,
".write": false
}
}
This is the MOST restrictive rule, no one is allowed to do any CRUD operations. Also, this is the least useful one. (I don’t know why I even bothered with typing this 🙂 let’s continue)
This below is open for anyone in the world to read and write, even worse than the most restrictive security rules.
100% Open
// OPEN TO THE WHOLE WORLD
// read and write access to your database
{
"rules": {
".read": true,
".write": true
}
}
This one below is a good starting point but it does require modification depending on your needs. If you’re going to have users sign up and sign in functionality then start with this.
User ID based
// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
"rules": {
".read": "auth != null",
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
The first rule means only authenticated users can read everything! Which is most likely what you want to start with. The second rule says only information from the “users” tree that has a node ID that is equal to the current user’s ID, may have full read and write permissions on that exact node. In the example below, the current user has full access to node1, not node2.
// assume current user id is 22222222222
someApp-1234
users
node1: 11111111111
key: value
key: value
node2: 22222222222
key: value
key: value
[…] this all assumes the Firebase rules are allowing this, checkout this article for details. Also don’t forget to lockup your API […]