问题描述
有人可以帮我解决 firebase 安全问题吗?
这是我试图弄清楚的:
Can someone help me with firebase security questions?
Here's what I was try to figure out:
我知道为了让客户端与我的 firebase 应用程序交互,配置和 firebase.initializeApp(config) 将公开,每个使用客户端的人都可以在浏览器中看到它开发者控制台.
I understand that to let a client side interacting with my firebase app, a config and firebase.initializeApp(config) will be exposed to public, and everyone using the client side can see it in browser developer console.
我也知道这很好,因为我可以使用安全规则和身份验证来保护数据.
I also know that this is fine because I can use security rules and auth to secure data.
但是,如果有人复制了我的所有客户端代码(包括配置)并构建了大量克隆站点,那么他们可以随心所欲地使用我的 firebase 数据库,对吗?
But, if someone copied all my client code (including configs) and build a lot of cloned sites, then they can use my firebase database as much as they want right?
在这种情况下,我是否应该将配置(api 密钥)隐藏到后端,例如云功能或其他什么东西?谢谢...
In this case, should I hide configs(api keys) into backend like cloud functions or something?Thanks...
推荐答案
我之前也想过类似的事情,找到了 这篇方便的文章 经过一番搜索.(文章本身是关于移动开发的,但有一个部分解决了这个特定问题).相关部分的标题是API 被域和包阻止"
I've wondered something similar before, and found this handy article after a bit of searching. (The article itself is on mobile development, but there is a section addressing this specific question). The relevant section is titled "API Blockage by Domain and Package"
这篇文章比我能解释的更好,以防万一链接失效,我将复制下面的文本以供将来查看者参考.这是 Jorge Vergara 在他的网站上写的 https://javebratt.com/hide-firebase-api/ 上次更新时间为 2018 年 7 月 20 日.
The article explains it better than I can, and just in case the link ever goes down, I'll copy the text below for future viewer's references. This was written by Jorge Vergara on his website https://javebratt.com/hide-firebase-api/ last updated July 20, 2018.
另一件很酷的事情,如果您转到您的 Google API 帐户,您会看到您的所有 Firebase 项目,选择一个,然后在 Credentials 选项卡中选择您的 API 密钥.
如果你从来没有弄过它,它应该被称为浏览器密钥(由谷歌服务自动创建),打开它,你会发现密钥限制选项:
If you’ve never messed with it, it should be called something like Browser key (auto created by Google Service), open it, and you’ll find options for key restriction:
此密钥不受限制.为防止未经授权的使用和配额盗窃,限制您的密钥.密钥限制可让您指定哪些网站、IP地址或应用程序可以使用此密钥.
This key is unrestricted. To prevent unauthorized use and quota theft, restrict your key. Key restriction lets you specify which websites, IP addresses, or apps can use this key.
您可以在那里选择 HTTP 引荐来源网址(网站)并添加您的域.这意味着 Firebase 数据库将只接受以下请求来自该域的人写作.
There you can choose HTTP referrers (websites) and add your domain. This means that the Firebase database will only accept requests for people writing from that domain.
或 Android 应用程序和 iOS 应用程序,您可以在其中添加包名称和指纹.
Or Android apps and iOS apps, where you can add package name and fingerprints.
例如:
如果您构建 myawesomeapp.com 并在 HTTP 引用中添加域(websites) 部分,任何试图从不同站点连接的攻击者域将收到错误,并且这些请求将永远不会到达数据库.
If you build myawesomeapp.com and add the domain in the HTTP referrers (websites) section, any attacker trying to connect from a different domain will get an error, and those requests will never make it to the database.
他提供的用于访问您的 Google API 帐户的链接是:https://console.developers.google.com/apis/credentials
The link he provided to access your Google APIs account is: https://console.developers.google.com/apis/credentials
如果您点击显示浏览器密钥(由 Google 服务自动创建)"的链接,那么您应该会在底部看到应用程序限制"部分,您可以在其中选择HTTP Referrers"...点击它可以输入已批准的域.
If you click on the link that says "Browser key (auto created by Google Service)" then you should see the "Application Restrictions" section towards the bottom, where you can select "HTTP Referrers"... clicking on that allows you to enter approved domains.
这篇关于我应该将 firebase api 密钥隐藏到后端吗?不是因为数据安全而是项目克隆问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!