暴露Firestore中的项目ID是否存在安全漏洞? [英] Is it a security vulnerability to expose ids of items from Firestore?

问题描述

我在Firestore中只有很少的项目，当客户端在浏览器中对其进行访问时，我会通过 http://....?id = 4ZDOiynoK25j2ikJlbZq 来访问其数据.

I have few items in Firestore and when each of them is accessed by client in browser, I pass the id of the item from Firestore through URL parameters like http://....?id=4ZDOiynoK25j2ikJlbZq to access its data.

即使我对数据库使用了一些安全规则，也存在安全隐患吗?

Is there any security risk even if I use some security rules for the database?

推荐答案

没有足够的信息来确定是否存在任何安全风险.任何给定的Firestore数据库的安全性通常受安全规则的约束，不是文档ID的隐私.如果您担心安全性，请始终从安全性规则开始.

There's not enough information to know for sure if there is any security risk. The security of any given Firestore database is generally governed by security rules, not privacy of document IDs. Always start with security rules if you're concerned about security.

如果您依赖于ID仅对拥有ID的人专用，那么您的安全规则将需要完全禁止对具有预期专用ID的集合进行查询.请记住，其他人仍然可以尝试猜测ID或在您的数据中找到其他人，因此它并不是100％安全的.

If you're depending on IDs being private to only the people who have the ID, then your security rules will need to disallow queries entirely on the collection with the intended private IDs. Keep in mind that others can still try to guess the ID, or find it someone else in your data, so it's not really 100% secure.

这篇关于暴露Firestore中的项目ID是否存在安全漏洞?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！