Is it acceptable to leave a database (Cloud Firestore) unsecured when no site login is required?

Question

I\'m building a game with Angular and (for the first time ever) I\'m trying to add a high score table. I have set up a Firebase account and got a <

Answer 1

I wish I could use red blinking underlined text here, but you should definitely not leave your database with this ruleset in place.

Anyone who plays your game will see your database. With the ruleset you have, anyone can read and write anything to the database (not just your score board). You'll be allow anyone to run their own system using your database, with the costs being charged to your account.

At a minimum, given the description you've provided, you should:

• Only allow reading & writing to your score board collection
• Validate the score is a valid value (e.g. an integer and within a certain range
• Validate the name is a valid value (help protect against possible XSS attacks)
• Validate no extra fields other than score and name be being written to a document (so people can't hide other payloads).