Is it acceptable to leave a database (Cloud Firestore) unsecured when no site login is required?

Question

I\'m building a game with Angular and (for the first time ever) I\'m trying to add a high score table. I have set up a Firebase account and got a <

Answer 1

I wish I could use red blinking underlined text here, but you should definitely not leave your database with this ruleset in place.

Anyone who plays your game will see your database. With the ruleset you have, anyone can read and write anything to the database (not just your score board). You'll be allow anyone to run their own system using your database, with the costs being charged to your account.

At a minimum, given the description you've provided, you should:

• Only allow reading & writing to your score board collection
• Validate the score is a valid value (e.g. an integer and within a certain range
• Validate the name is a valid value (help protect against possible XSS attacks)
• Validate no extra fields other than score and name be being written to a document (so people can't hide other payloads).

Answer 2

Generally speaking, those settings are used for testing purposes. You can allow users to read from your database only when you decide that those informations can be public. If you have sensitive information (i.e. user informations), it's mandatory to secure your database and allow only the users you that you decide that can read that informations. So if you decide later to add autentication, then it's a must to secure your database. That's the same regarding writting purposes.

Hope it helps.