How do I prevent un-authorized access to my Firebase Realtime Database?

  1. Setup security Rules, source to learn : https://firebase.google.com/docs/rules

  2. Use Emulators (It will make keys not easy to visible by beginner programmers) , source : https://firebase.google.com/docs/rules/emulator-setup

  3. Cloud Functions (It will hide the names of Collections and Docs) , https://firebase.google.com/docs/functions

  4. Limit the API keys to specific website/s(It will make peoples unable to access your website/app from outside)

if someone knows more methods, please tell, no one can be perfect.


First of all, understand that you cannot secure any URL on the internet according to the origin domain--malicious users can simply lie. Securing the origin domains is only useful in preventing cross-site spoofing attacks (where a malicious source pretends to be your site and dupes your users into logging in on their behalf).

The good news is that users are already prevented from authenticating from unauthorized domains from the start. You can set your authorized domains in Forge:

  • type your Firebase url into a browser (e.g. https://INSTANCE.firebaseio.com/)
  • log in
  • click on the Auth tab
  • add your domain to the list of Authorized Requests Origins
  • select a "provider" you want to use and configure accordingly

Now to secure your data, you will go to the security tab and add security rules. A good starting point is as follows:

{
   "rules": {
       // only authenticated users can read or write to my Firebase
       ".read": "auth !== null",
       ".write": "auth !== null"
   }
}

Security rules are a big topic. You will want to get up to speed by reading the overview and watching this video