我如何在没有身份验证的情况下使云危机更加安全?
我有一个应用程序可以从Cloud Firestore中获取数据。该应用程序没有接收用户登录,但Firestore向我发送了一封电子邮件,说它不安全。 firestore security的邮件 身份验证似乎存在安全问题,但我不需要用户登录。 这是我当前的“云燃烧规则”设置: `
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow write: if request.auth != null && request.auth.uid == request.resource.data.author_uid
}
}
}`
我如何才能使它更加安全? 我可以限制读数作为另一个解决方案吗?
I have an application that pulls data from cloud firestore. this app does not receive user login but firestore sent me an email saying it is not secure. mail of firestore security
There seems to be a security problem in authentication, but I don't want user login.
Here are my current "Cloud firestore Rules" settings:
`
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow write: if request.auth != null && request.auth.uid == request.resource.data.author_uid
}
}
}`
How can I make this more secure?
Can I limit the number of reads as another solution?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
问题是,您允许未经认证的用户阅读整个数据库。另一个是您身份验证的用户可以在数据库中创建所需的内容。
您需要限制对数据库的更多访问。有人会从您的数据库中删除自己的数据库。他可以在您期望的集合中创建一个文档。该文档将与他的数据库嵌套集合,每个人都可以阅读它。最好的部分是,如果您的收藏中有成千上万的文档,则不会发现一个带有嵌套集合的文档。
为了防止这种情况,限制对整个数据库的访问:
The problem is, you're allowing not authenticated users to read your whole database. Another one is your authenticated users can create in your database what ever they want.
You need to restrict more access to your database. Someone will make his own database out of your database. He can create a document in a collection you expect should exist. This document will have nested collection with his database and everyone can read it. The best part is, if you have thousands of documents in your collection, you won't find that one document with nested collection easy.
To prevent that, restrict access to the whole database: