Setting HTTP referer restriction on Firebase API key does not make a difference
I would like to set a restriction on my Firebase API such that it can only be used from a particular domain.
Indeed, I understand that Firestore data is still readable unless correct security rules are in place, but I seem to be managing to make use of the Firestore API and the restriction should prevent this, if I understand correctly.
So, I have set my Browser key restriction as below, I clicked the Save button and waited five minutes.
Then I wanted to test this restriction, so I opened Incognito dev console, copied the identical Firebase config as it is on my client-side, and called the Firestore API as below:
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = 'https://www.gstatic.com/firebasejs/7.14.1/firebase-app.js';
document.head.appendChild(script);
var script2 = document.createElement('script');
script2.type = 'text/javascript';
script2.src = 'https://www.gstatic.com/firebasejs/7.14.1/firebase-firestore.js';
document.head.appendChild(script2);
// Your web app's Firebase configuration
const firebaseConfig = {
apiKey: "exactly_the_same",
authDomain: "exactly_the_same",
databaseURL: "exactly_the_same",
projectId: "exactly_the_same",
storageBucket: "exactly_the_same",
messagingSenderId: "exactly_the_same",
appId: "exactly_the_same"
};
// Initialize Firebase
firebase.initializeApp(firebaseConfig);
const db = firebase.firestore();
db.collection('events').get().then((snapshot) => {
snapshot.docs.forEach(doc => {
console.log(doc)
})
})
The response I got was this, and looking into these elements even further, they contain the Firestore data.
Therefore, this restriction did not work at all, so what am I doing wrong?
UPDATE
It turns out that the HTTP referrer restriction only worked for non-Firestore APIs. I am not sure why this is the case, so I welcome anyone's thoughts on this. @willnode was correct in stating that you need two URL domain listings (including one with the wildcard) for the entire domain to be whitelisted. I observed this to work when I tested it with the Auth API (using anonymous sign-in).
The question as to whether restricting the API key with the HTTP Referrer is secure enough is a matter for another question.
ANOTHER UPDATE
For some reason we had to wait a bit longer for the Firestore API to also work with the Referrer restriction. Now everything is working as it should.
Reading from the official documentation, you need to at least provide two restrictions for allowing any URL in a single subdomain or naked domain (you only provide one in your screenshot). Here's the excerpt:
1. You must set at least two restrictions to allow an entire domain.
2. Set a restriction for the domain, without the trailing slash. For example:
+ https://www.example.com
+ http://sub.example.com
+ http://example.com
3. Set a second restriction for the domain that includes a wildcard for the path. For example:
+ https://www.example.com/*
+ http://sub.example.com/*
+ http://example.com/*
If your domain allows both HTTP and HTTPS you must add additional restrictions separately.
- Is ML Kit Face Detection on-device free for commercial companies usage?
- Upgraded angular versions and now getting error: "The AppComponent component is not marked as standalone"
- Conditional rendering based on authentication security question
- main.ts:5 ERROR NullInjectorError: R3InjectorError
- Why is signInWithPhoneNumber from @capacitor-firebase/authentication doesn't works Ionic app for iOS?
- Firebase check email exist (fetchProvidersForEmail alternative)
- Problem on Unity 2020 and Firebase (Unable to resolve reference 'UnityEditor.iOS.Extensions.Xcode')
- How do I set up firebase analytics on my react native expo project?
- com.google.firebase.FirebaseException: An internal error has occurred. [ CONFIGURATION_NOT_FOUND ]
- Is the package expo-firebase-recaptcha still working in 2024?
- Firebase Cloud Function - null user.displayName onCreate
- Flutter FCM: Custom Sound Plays Alongside Default Sound & Redirection Fails When App is Terminated
- FCM notifications not showing on iOS lock screen
- How do I get flutterfire configure command to work?
- How to read data from collection to another collection in firebase rules and flutter
- Restricting Default Firebase API Key Restrictions
- How to add SignOut option in firebase
- Using asynchronous tasks and batch updates at the same time
- req.headers.split is not a function when getting token from header
- Firebase Firestore Database duplicates data on UI while using AngularFire
- What backend should I use for my react-native mobile application and Laravel portal which have to use the same database?
- AngularJs error in return value from filter function
- Stripe Checkout: Something went wrong
- Error: [auth/missing-client-identifier] This request is missing a valid app identifier, Play Integrity checks, and reCAPTCHA checks were unsuccessful
- What is the best way to check if a Firebase Database child already exists, and add it if it doesn't?
- How to add seed data using graphQL mutations in Firebase Data Connect
- Firebase Cloud Function - Cannot find module 'firebase-functions/v2/auth'
- Cannot resolve symbol default_web_client_id in Firebase's Android Codelab
- How to change admin.initializeApp when deploying different environments
- How do I correctly authenticate with firebase for each request