How to restrict access to my Firebase app to only one website

[Greg Babb]

Hi all, this is probably a very basic question that's been answered many times but I'm new to FB and OAuth.

I developed a web app that accesses a Firebase database. Is it possible to say, "I want to restrict usage to my Firebase database to only my web app, so that someone else cannot develop their own web app and then use my FB api key, authDomain, etc."

In my Firebase settings, I see there's a listing for setting "authorized domains" which lists my `databaseURL` which is fine and good, but is there a setting where I can type in the URL of my web app so that only my web app domain may access Firebase?

I've looked around and found answers like this: https://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modification but these seem to focus on data modification.

Appreciate any help in form of answers or documentation references.

[Kato Richardson]

Hi Greg,

The whitelisted domains for authentication are used to protect the client from XHR and spoofing, not to protect the server from unauthorized requests. That is done by authentication and security rules.

There is no way to verify the origin domain of a request sent over public channels; the sender can just as easily doctor the referrer to accomplish the same goal, and if not that, they could just visit from your site and collect the data and then export it to another app; this is no more affective than security by obscurity. 

To restrict your data, use authentication and security rules to control who can access what data, and only give users access to data they need so that they can't replicate your database. If your data is proprietary and should only be accessed by whitelisted individuals, then build a whitelist into your data and reference that in your rules.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/d456f8d6-cf69-429d-9762-60a557ba7d9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398