问题
I have a firebase realtime database.
And i have a "like" button app for my website.
But my database is not safe, because everyone can write to my database.
I want is: "allow only incoming data from my website. And block incoming from other sites"
For example:
{
"rules": {
".read": true,
".write": allow only incoming data from "www.example.com" and block incoming from other sites
}
}
How can I do this?
Or how can I set this rule on Firebase console?
回答1:
If I understand correctly what you are trying to do, I believe you can do it with the service account linked with your Firebase account. You can manually create a whitelist of URL's allowed to use your API key. The trick is that it is found in the Google Cloud Platform, not the Firebase Console. However, there is a nifty link in Firebase Console that will take you to where you need to be.
(Also, the direct link of where to go is https://console.cloud.google.com/apis/credentials but make sure you are logged into an "Owner" or "Editor" account listed on the "Users and permissions" tab found at step two below.)
Here are the steps:
Log into your Firebase Console and go to the gear icon next to "project overview" in the top left of the Firebase console.
Then navigate to the "Users and permissions" tab
Then click the small blue link underneath the main table on the screen that says "Advanced permission settings".
It should take you to Google Cloud Console. (Make sure you are logged into an "Owner" or "Editor" account listed on the "Users and permissions" tab you were just looking at from the Firebase Console.) Click the menu in the top left of the Google Cloud Console, and go to "APIs & Services"
Then the click sub-menu item "credentials"
Click the desired API key you want to restrict.
And set the websites you want to allow access by clicking the radio button "HTTP Referers" under "Application Restrictions", adding an item, entering the web address, and hitting done to save the changes.
来源:https://stackoverflow.com/questions/47240098/firebase-rules-allow-only-specific-url