Google keeps warning insecure rules

Question

For my gaming app, I have set the firebase database rules as follows

{
  “rules”: {
    “.read”: “auth != null”,
   “.write”: “auth != null”
  }
}

The nature of the game is user has to input data to the database. I mean the authenticated users.

All the players at that time will input data to the same directory. If I secure the rules other than the above, users cant post any input, so the game cannot be played. App allows user to post data only under certain circumstances and they cannot update any data as they like. the code does n't all that. But google keeps warning about the insecure rules. My question is Can auth user update database from some other source other than from my app?. Thanks.

Answer 1

That a user needs to be able to read all data in the database, doesn't mean they need to be able to read the root of the database.

That a user needs to be able to write to the database, doesn't mean they need to be able to write to the root of the database.

In both scenarios your code probably doesn't read the root, and it definitely doesn't simply write to the root - as that would overwrite the data from the other users.

Your rules should allow exactly how you code accesses the data, and nothing more. This is known as the principle of least privilege - and is a common practice in securing systems.

Also see:

• How safe is auth !== null? Firebase
• Firebase says that my rules are insecure, why?
• Firebase email saying my realtime database has insecure rules
• How to secure Firebase by checking for correct userID in the "official" Authentication database
• Firebase Realtime Database Security Rules for prevent create/delete not working

Finally I recommend checking out Firebase App Check too, which drastically reduces the chances of abuse from users that use your configuration data but not your code.