Are Firebase Functions safe to use
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
my Project is currently so build that all writing operations are handled by a Firebase function like createUser, followUserDirectly, acceptRequest or sendFollowRequest.
My first question is if the functions can be executed by an attacker outside my app and its logic.
The second is: Can the attributes that are passed to the function be modified outside of the intended logic? For example if the wrong user id is passed so that a completely different follow request will be accepted.
android firebase google-cloud-firestore google-cloud-functions edited Jan 3 at 23:08
Doug Stevenson
83.8k10100118
asked Jan 3 at 22:48
Florian G.Florian G.
83
add a comment |
my Project is currently so build that all writing operations are handled by a Firebase function like createUser, followUserDirectly, acceptRequest or sendFollowRequest.
My first question is if the functions can be executed by an attacker outside my app and its logic.
The second is: Can the attributes that are passed to the function be modified outside of the intended logic? For example if the wrong user id is passed so that a completely different follow request will be accepted.
android firebase google-cloud-firestore google-cloud-functions edited Jan 3 at 23:08
Doug Stevenson
83.8k10100118
asked Jan 3 at 22:48
Florian G.Florian G.
83
4
We can't say anything about whether your functions are secure without seeing them. But if they're HTTP-callable functions they won't be secured unless you've secured access to them yourself, as shown for example here: github.com/firebase/functions-samples/tree/master/….
– Frank van Puffelen
Jan 3 at 23:00
add a comment |
my Project is currently so build that all writing operations are handled by a Firebase function like createUser, followUserDirectly, acceptRequest or sendFollowRequest.
My first question is if the functions can be executed by an attacker outside my app and its logic.
The second is: Can the attributes that are passed to the function be modified outside of the intended logic? For example if the wrong user id is passed so that a completely different follow request will be accepted.
android firebase google-cloud-firestore google-cloud-functions edited Jan 3 at 23:08
Doug Stevenson
83.8k10100118
asked Jan 3 at 22:48
Florian G.Florian G.
83
my Project is currently so build that all writing operations are handled by a Firebase function like createUser, followUserDirectly, acceptRequest or sendFollowRequest.
My first question is if the functions can be executed by an attacker outside my app and its logic.
The second is: Can the attributes that are passed to the function be modified outside of the intended logic? For example if the wrong user id is passed so that a completely different follow request will be accepted.
android firebase google-cloud-firestore google-cloud-functions android firebase google-cloud-firestore google-cloud-functions edited Jan 3 at 23:08
Doug Stevenson
83.8k10100118
asked Jan 3 at 22:48
Florian G.Florian G.
83
edited Jan 3 at 23:08
Doug Stevenson
83.8k10100118
asked Jan 3 at 22:48
Florian G.Florian G.
83
edited Jan 3 at 23:08
Doug Stevenson
83.8k10100118
edited Jan 3 at 23:08
Doug Stevenson
83.8k10100118
edited Jan 3 at 23:08
Doug Stevenson
83.8k10100118
83.8k10100118
asked Jan 3 at 22:48
Florian G.Florian G.
83
asked Jan 3 at 22:48
Florian G.Florian G.
83
asked Jan 3 at 22:48
Florian G.Florian G.
83
83
4
We can't say anything about whether your functions are secure without seeing them. But if they're HTTP-callable functions they won't be secured unless you've secured access to them yourself, as shown for example here: github.com/firebase/functions-samples/tree/master/….
– Frank van Puffelen
Jan 3 at 23:00
add a comment |
4
We can't say anything about whether your functions are secure without seeing them. But if they're HTTP-callable functions they won't be secured unless you've secured access to them yourself, as shown for example here: github.com/firebase/functions-samples/tree/master/….
– Frank van Puffelen
Jan 3 at 23:00
4
4
We can't say anything about whether your functions are secure without seeing them. But if they're HTTP-callable functions they won't be secured unless you've secured access to them yourself, as shown for example here: github.com/firebase/functions-samples/tree/master/….
– Frank van Puffelen
Jan 3 at 23:00
We can't say anything about whether your functions are secure without seeing them. But if they're HTTP-callable functions they won't be secured unless you've secured access to them yourself, as shown for example here: github.com/firebase/functions-samples/tree/master/….
– Frank van Puffelen
Jan 3 at 23:00
add a comment |
1 Answer
1
active
oldest
votes
If you expose any API to a webclient you have to assume it can be used outside of your webapplication aswell. It's then up to you to secure your API & apply the security you see is necessary. Firebase has good documentation & FAQ for you to make up your judgement if you see fit at https://firebase.google.com/
As to per your user-id question, refer to:
Will it be safe to rely on Firebase, for the security of my app data from hackers?
Firebase implements authentication and declarative security rules for security.
answered Jan 3 at 22:55
joelgullanderjoelgullander
308113
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54030867%2fare-firebase-functions-safe-to-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you expose any API to a webclient you have to assume it can be used outside of your webapplication aswell. It's then up to you to secure your API & apply the security you see is necessary. Firebase has good documentation & FAQ for you to make up your judgement if you see fit at https://firebase.google.com/
As to per your user-id question, refer to:
Will it be safe to rely on Firebase, for the security of my app data from hackers?
Firebase implements authentication and declarative security rules for security.
answered Jan 3 at 22:55
joelgullanderjoelgullander
308113
add a comment |
If you expose any API to a webclient you have to assume it can be used outside of your webapplication aswell. It's then up to you to secure your API & apply the security you see is necessary. Firebase has good documentation & FAQ for you to make up your judgement if you see fit at https://firebase.google.com/
As to per your user-id question, refer to:
Will it be safe to rely on Firebase, for the security of my app data from hackers?
Firebase implements authentication and declarative security rules for security.
answered Jan 3 at 22:55
joelgullanderjoelgullander
308113
add a comment |
If you expose any API to a webclient you have to assume it can be used outside of your webapplication aswell. It's then up to you to secure your API & apply the security you see is necessary. Firebase has good documentation & FAQ for you to make up your judgement if you see fit at https://firebase.google.com/
As to per your user-id question, refer to:
Will it be safe to rely on Firebase, for the security of my app data from hackers?
Firebase implements authentication and declarative security rules for security.
answered Jan 3 at 22:55
joelgullanderjoelgullander
308113
If you expose any API to a webclient you have to assume it can be used outside of your webapplication aswell. It's then up to you to secure your API & apply the security you see is necessary. Firebase has good documentation & FAQ for you to make up your judgement if you see fit at https://firebase.google.com/
As to per your user-id question, refer to:
Will it be safe to rely on Firebase, for the security of my app data from hackers?
Firebase implements authentication and declarative security rules for security.
answered Jan 3 at 22:55
joelgullanderjoelgullander
308113
answered Jan 3 at 22:55
joelgullanderjoelgullander
308113
answered Jan 3 at 22:55
joelgullanderjoelgullander
308113
answered Jan 3 at 22:55
joelgullanderjoelgullander
308113
308113
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54030867%2fare-firebase-functions-safe-to-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
We can't say anything about whether your functions are secure without seeing them. But if they're HTTP-callable functions they won't be secured unless you've secured access to them yourself, as shown for example here: github.com/firebase/functions-samples/tree/master/….
– Frank van Puffelen
Jan 3 at 23:00