[英]Correct way to set up security for Firebase DB
Okay, I have the following use case for Firebase: 好的,我有以下Firebase用例:
Client wants us to store data from a form and put it into the DB. 客户希望我们存储表单中的数据并将其放入数据库中。 This is handled on the backend with Express. 这是通过Express在后端处理的。
This has to be done pretty quickly, so I just want to make sure I do it correctly. 这必须很快完成,所以我只想确保自己正确执行了。
I currently have the rules to allow read and write access to be true. 我目前有允许读写访问为真的规则。 Would this be okay in production, given that users can only input data through the form? 假设用户只能通过表格输入数据,在生产环境中可以吗? And they wouldn't have access to the API key, so other users couldn't mess with the data? 而且他们将无法访问API密钥,因此其他用户不会搞乱数据吗?
From your description it sounds like you have: 根据您的描述,听起来您有:
{
"rules": {
".read": true,
".write": true
}
}
This means that anyone who can find the URL for your database ( https://yours.firebaseio.com
) can write to the database. 这意味着任何可以找到您的数据库URL( https://yours.firebaseio.com
)的人都可以写入数据库。 It doesn't matter if they use your form, directly use a Firebase SDK or even if they just make a REST request using curl: 无论他们使用您的表单,直接使用Firebase SDK还是他们只是使用curl发出REST请求都没关系:
curl -X DELETE 'https://yours.firebaseio.com/.json'
This last line will delete your entire database. 最后一行将删除整个数据库。 And all it takes is one malicious user or one typo while you're developing (this happens a lot more than you'd think). 在开发过程中,所需要的只是一个恶意用户或一个错字(发生的次数比您想象的要多得多)。
So you really should set up your database security rules to: 因此,您实际上应该将数据库安全规则设置为:
Yes, having both read and write permissions set to true
is a big security hole for multiple reasons: 是的,出于多种原因,将读取和写入权限都设置为true
是一个很大的安全漏洞:
read
access creates a privacy problem for your users if you handle any personal information. 如果您处理任何个人信息,则公共read
访问会对您的用户造成隐私问题。 write
access allows anyone with your database URL to delete or modify its contents at will. 公共write
访问允许具有您数据库URL的任何人随意删除或修改其内容。 Also note that if your app exposes Firebase through its front-end to the users, getting your database URL is as simple as reading through the app's HTML source. 还要注意,如果您的应用通过前端向用户公开Firebase,则获取数据库URL就像阅读应用的HTML源代码一样简单。
is authenticate your app through the server side and set private access to the database. 通过服务器端对您的应用进行身份验证,并设置对数据库的私有访问。 Take a look at how to create a service account , also detailed here . 看一下如何创建服务帐户 , 这里也有详细介绍。
If you use an older version of firebase, you will have to use server tokens 如果您使用旧版本的Firebase,则必须使用服务器令牌
Hope this helps! 希望这可以帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.