How to prevent my users downloading firebase realtime database as a json file

Question

I have a simple search data app which give corresponding result of user input value.
My users can download firebase realtime database as a single file by going to https://test.firebaseio.com/data.json. How to prevent this. Any way to give search result only without reading as a full data. I mean dont allow to download full json file to user but allow to search only.

Answer 1

Accessing the https://test.firebaseio.com/data.json URL is using the REST API of the Firebase Realtime Database. Given the nature of a cloud-hosted database, in general people will always be able to get any data through this API that they can also access in your application code.

In fact, in a well written application the security rules of your database will match closely with the client-side code of that application. For example: if you application code only reads specific keys, your security rules should only allow those keys to be read - and reject reads of other data. This is known as the principle of least privilege and is key to a security strategy on Firebase.

For more on this, I recommend reading some of my answers to these recent questions:

• Firebase Realtime database - insecure rules
• Google keeps warning insecure rules

Or these older but highly ranked answers:

• Firebase email saying my realtime database has insecure rules
• Firebase Permission Denied

---

Finally, to restrict access to the database to just your application code, consider implementing Firebase App Check. While it is not foolproof, using App Check reduces the abuse on your project by making it harder for malicious users to run their own code against your project.