This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How do i secure a Firebase deployment that includes all components of Firebase?

Posted on 11-14-2023 05:35 AM
dheerajpanyam
Silver 4
Silver 4
Reply posted on --/--/---- --:-- AM

We recently faced a DDOS attack on our Firebase hosting secured by CloudFlare that led to excessive billing. With this other components of Firebase like Firebase Auth, Firestore, Firebase Cloud Functions are at risk. My question is how do i secure all components of Firebase. I am aware of firebase security rules but I guess it secures only Firestore, Firebase realtime database and Cloud Storage. In summary how do i secure a Firebase deployment that uses all the components of Firebase suite to protect against DDOS attacks?

  1. Firebase Authentication
  2. Firestore database
  3. Firebase Cloud Functions
  4. Firebase Cloud Messaging

 

Solved Solved
0 1 3,262
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Marramirez
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Greetings @dheerajpanyam!

There are a number of ways you can secure your Firebase deployment from a DDOS attack, check out Firebase Security Checklist . This contains a guideline on how you can secure your Firebase resources. It covers key points such as: 

  • Set up monitoring and alerting for backend services
  • Enable App check - It protects your API resources from abuse by preventing unauthorized clients from accessing your backend resources. Currently works with Realtime Database, Cloud Firestore, Cloud Storage, Cloud Functions, and Authentication
  • Configure your Cloud Functions to scale for normal traffic
  • Set up alerting to be notified when the limits are nearly reached
  • Prevent self-DOSes: test functions locally with the emulators
  • Where real-time responsiveness is less important, structure functions defensively

You can also take a look at this Stack overflow post as it makes a good point on how to secure Google Firebase from DDOS attack and surprise bills.

If the above options don't work, you can contact Google Cloud Support to further look into your case. Let me know if it helped, thanks!

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
Marramirez
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Greetings @dheerajpanyam!

There are a number of ways you can secure your Firebase deployment from a DDOS attack, check out Firebase Security Checklist . This contains a guideline on how you can secure your Firebase resources. It covers key points such as: 

  • Set up monitoring and alerting for backend services
  • Enable App check - It protects your API resources from abuse by preventing unauthorized clients from accessing your backend resources. Currently works with Realtime Database, Cloud Firestore, Cloud Storage, Cloud Functions, and Authentication
  • Configure your Cloud Functions to scale for normal traffic
  • Set up alerting to be notified when the limits are nearly reached
  • Prevent self-DOSes: test functions locally with the emulators
  • Where real-time responsiveness is less important, structure functions defensively

You can also take a look at this Stack overflow post as it makes a good point on how to secure Google Firebase from DDOS attack and surprise bills.

If the above options don't work, you can contact Google Cloud Support to further look into your case. Let me know if it helped, thanks!

Jump to Solution
0 Likes