[Guide] How to secure Firebase Real Time Database from hacker!

:pray:
Hello guys Avijit Das here, And today I am showing
how you can secure your :fire: Firebase Real Time Database from hackers.
So let’s start


Rule No 1 :

Basic rules - Everyone can read and write your full database.

{
  "rules": {
    ".read": "true",
    ".write": "true"
  }
}


Rule No 2 :

Basic rules - No one will be able to read and write your database.

{
  "rules": {
    ".read": "false",
    ".write": "false"
  }
}


Rule No 3 :

Basic rules - Any authenticated user can read and write your full database.

{
  "rules": {
    ".read": "auth.uid != null",
    ".write": "auth.uid != null"
  }
}


Rule No 4 :

Strong rules - Only user and admin can read and write user/{user_id}/password_activity/ Tag.

Rules :

{
  "rules": {
    ".read": "false",
    ".write": "false",
      
      "user": {
    
    "$uid": {
      
      "password_activity":{
              ".read": "$uid === auth.uid
                       || auth.token.email.endsWith(\"@admin.example.com\")",
                                                     
               ".write": "$uid === auth.uid
                         || auth.token.email.endsWith(\"@admin.example.com\")",
       },
      }
    }
  }
}

Note : admin account email must be end with @admin.example.com
Example : [email protected]


Rule No 5 :

Strong rules - Any authenticated user can read user/{user_id}/password_activity/ but only user can write his password activity.

Rules :

{
  "rules": {
    ".read": "false",
    ".write": "false",
      
      "user": {
    
    "$uid": {
      
      "password_activity":{
              ".read": "auth.uid != null",
                                                     
               ".write": "$uid === auth.uid",
       },
      }
    }
  }
}


Rule No 6 :

For example user2 need to create a data in user/user1/friends/ tag.

Example :

image

Rules :

{
  "rules": {
    ".read": "false",
    ".write": "false",
      
      "user": {
    
    "$uid": {
      
      "friends" : {
        
        "$friend_uid": {
          
          ".read": "auth.uid != null",
            
          ".write": "$friend_uid === auth.uid",
          
        },
        
        }
      }
    }
  }
}

Note : Any authenticated user can read user/user1/friends/ tag but only user2 can create his data in user/user1/friends/ tag.


Note : I know this guide really hard to understand. but listen good things never come easily.

If this help you then just press ❤️ button
7 Likes

Please Abhijit bro. Guide me how to secure MySQL database from hacker.

Does this mean that nobody (even the app itself) cannot write to the database?

Yes. :heart: :heart: :heart:

1 Like

Sorry dear, I never used MySQL database. so i don’t have any idea.

I too don’t use it, but yes maybe you can add these kinds of access rules there too(if possible)

Anyways, Good work @Avijit

1 Like

Thanks @Horizon.

1 Like

Use multiple encryption, url uncoder, replacement and more. I am going to create a guide soon.

Good to hear that @I_Am_The_Bong :slightly_smiling_face:

need guide for firestore too

Ok, Within 5 days.

Great guide sir

Thanks dear.

:man_facepalming: :man_facepalming: :man_facepalming: Dear.

There are many steps to increase the security of data within a database. Can’t explain it to you in a few lines You will have to read and research the subject.
@MrSidhartha

2 Likes

You are right :white_check_mark:

1 Like

So How do we Do that only my App can read and write data ?
Should set it to true only or is there another way

Please follow my guide.

1 Like

does Google sign in accounts count as authenticated or not?

Yes. User can be any method (github, facebook, twitter and etc) to authenticate.

image

1 Like

I meant does signing in using google authenticate the user automatically or I need to send authentication e-mail?