With Firebase Realtime Database, your Database rules is your server side security. You need to be very careful and aware of who has access to your database. It is important that no one gains access to your data that shouldn't.
By default, the Firebase Realtime Database rules allow any authenticated user to read and write all the data, this is probably not what you want your app to do.
Take a look at the below examples for different scenarios.
By default, your database rules require Firebase Authentication and grant full read and write permissions only to authenticated users. The default rules ensure your database isn't accessible by just anyone before you get a chance to configure i
How to allow reading specific item from group, but prevent listing group members
It is common practice to create groups of items by creating simple value nodes with item ID as key. For example, we can add a user to the group "administrators" by creating a node at
/administrators/$user_id with a value
true. We don't want anyone to know who administrators are, for security reasons, but we still want to check if a Authenticated user is administrator. With these rules we can do just that:
How to configure rules
- Go in the Firebase console.
- Choose your project
- Click on the Database section on the left, and then select the Rules tab.
If you would like to test your security rules before putting them into production, you can simulate operations in the console using the Simulate button in the upper right of the rules editor.
How to disable read and write access
You can define a private rules to disable read and write access to your database by users. With these rules, you can only access the database when you have administrative privileges (which you can get by accessing the database through the Firebase console or by signing in from a server).
How to grant access only to authenticated users
Here's an example of a rule that gives each authenticated user a personal node at
/users/$user_id where $user_id is the ID of the user obtained through Authentication.
How to set your files publicly readable and writable
It can be useful during development but pay attention because This level of access means anyone can read or write to your database.
The default rules
The default rules require Authentication.
They allow full read and write access to authenticated users of your app. They are useful if you want data open to all users of your app but don't want it open to the world.