Search code examples
firebase-realtime-databasefirebase-security

Firebase Realtime Database Secure Rules for a Static Website


I have a personal website based on GitHub pages. Some of its pages need to read data from a Firebase realtime database I created on my own and display the data through HTML.

For the secure rules of the database, my first plan was to allow write permission only for me as owner, and allow read permission for everyone (all the data is visible to public on my website anyways), so I wrote the rules as follows:

{
  "rules": {
    ".read": true,
    ".write": false
  }
}

However, I keep getting warned that these rules are insecure. I've read the docs but I still have no idea how to write an acceptable ruleset suitable for my case.

It's not necessary that everyone should be permitted to read the database - it's also an option for me if only my website would have access to the database (AND while testing it with localhost). Even though all the data is supposed to be public. But I don't know how to do that either.

Anyone could help?


Solution

  • As you've said in comments, you're not using Firebase Authentication, which is the only way that security rules can be used to limit per-user access to Realtime Database. This is inherently problematic unless you don't mind anyone with an internet connection to read your entire database with a single request.