如何防止未经授权访问我的Firebase实时数据库? [英] How do I prevent un-authorized access to my Firebase Realtime Database?

问题描述

如何防止其他用户通过Firebase URL访问我的实时数据库?我该怎么做才能将其仅保护到我的域?

解决方案

首先，请了解您无法根据源域保护Internet上的任何URL，恶意用户可以撒谎.保护原始域仅在防止跨站点欺骗攻击(恶意源伪装成您的站点并欺骗用户代表他们登录)中有用.

好消息是，从一开始，就已经阻止了用户从未经授权的域进行身份验证.您可以在Forge中设置您的授权域:

• 在浏览器中输入Firebase网址(例如 https://INSTANCE.firebaseio.com/)
• 登录
• 点击身份验证"标签
• 将您的域添加到授权请求来源"列表中
• 选择要使用的提供商"并进行相应配置

现在要保护您的数据，您将转到安全性"选项卡并添加安全性规则.一个良好的起点如下:

{
   "rules": {
       // only authenticated users can read or write to my Firebase
       ".read": "auth !== null",
       ".write": "auth !== null"
   }
}

安全规则是一个大话题.您可能想通过阅读概述并观看此视频来快速入门

How do I prevent other users from accessing my Realtime Database via my Firebase URL? What must I do to secure it to only my domain?

解决方案

First of all, understand that you cannot secure any URL on the internet according to the origin domain--malicious users can simply lie. Securing the origin domains is only useful in preventing cross-site spoofing attacks (where a malicious source pretends to be your site and dupes your users into logging in on their behalf).

The good news is that users are already prevented from authenticating from unauthorized domains from the start. You can set your authorized domains in Forge:

• type your Firebase url into a browser (e.g. https://INSTANCE.firebaseio.com/)
• log in
• click on the Auth tab
• add your domain to the list of Authorized Requests Origins
• select a "provider" you want to use and configure accordingly

Now to secure your data, you will go to the security tab and add security rules. A good starting point is as follows:

{
   "rules": {
       // only authenticated users can read or write to my Firebase
       ".read": "auth !== null",
       ".write": "auth !== null"
   }
}

Security rules are a big topic. You will want to get up to speed by reading the overview and watching this video

这篇关于如何防止未经授权访问我的Firebase实时数据库?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！