针对不同开发工作流环境的常规安全准则
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
本页面介绍了一些最重要的最佳实践,可确保不同环境的安全性,不过您也可以查看安全核对清单,了解有关安全性和 Firebase 的更详细和全面的指南。
预生产环境的安全性
在不同 Firebase 项目中保持环境独立性的一个好处是,让能够访问您的预生产环境的恶意操作者无法访问实际的用户数据。以下是在预生产环境中采取的最重要安全预防措施:
限制对预生产环境的访问权限。对于移动应用,请使用 App Distribution(或类似服务)将应用分发给特定的一组用户。Web 应用更难限制;建议您为预生产环境设置屏蔽函数,从而仅允许电子邮件地址特定于您网域的用户访问预生产环境。或者,如果您使用的是 Firebase Hosting,请将您的预生产工作流设置为使用临时预览网址。
如果环境不需要保留,并且仅由一个人员在使用(或者,在测试的情况下,由一台机器使用),请使用 Firebase Local Emulator Suite。这些模拟器更加安全快捷,因为它们完全可以在 localhost 上运行,而无需使用云端资源。
确保在预生产环境中设置了 Firebase Security Rules,就像在生产环境中一样。一般来说,应在不同环境中使用相同的 Rules,但请注意,由于规则随代码而变化,因此流水线中早期可能会有生产环境中尚不存在的规则。
生产环境的安全性
生产环境数据始终是目标,即使应用是不透明的。遵循这些准则并不会使恶意操作者无法获取您的数据,但会使其更难下手:
为您要使用的所有支持 App Check 的产品启用并强制执行它。App Check 可确保发送到后端服务的请求来自正版应用。如需使用 App Check,您必须用它来注册应用的每个版本。在拥有用户之前,设置更容易一些,因此请尽快进行设置。
编写强大的 Firebase Security Rules。Realtime Database、Cloud Firestore 和 Cloud Storage 都依赖于开发者配置的 Rules 来强制规定哪些人能够访问数据,哪些人不得访问数据。因此,编写良好的 Rules 对于保障安全至关重要。如果您不确定如何操作,请从此 codelab 入手。
如需了解生产环境安全性的更多建议,请参阅安全核对清单。
后续步骤
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-04。
[null,null,["最后更新时间 (UTC):2025-08-04。"],[],[],null,["This page describes the most important best practices for security across\nenvironments, but review the\n[*Security checklist*](/support/guides/security-checklist) for more detailed and\nthorough guidance about security and Firebase.\n\nSecurity for pre-production environments\n\nOne benefit of separating environments in different Firebase projects is that a\nmalicious actor who is able to access your pre-prod environments won't be able\naccess real user data. Here are the most important security precautions to take\nfor pre-production environments:\n\n- Limit access to pre-prod environments. For mobile apps, use\n [App Distribution](/docs/app-distribution) (or something similar) to distribute\n an app to a specific set of people. Web applications are harder to restrict;\n consider setting up a\n [blocking function](https://cloud.google.com/identity-platform/docs/blocking-functions)\n for the pre-prod environments that restricts access to users with email\n addresses that are specific to your domain. Or, if you're using\n Firebase Hosting, set up your pre-prod workflows to use\n [temporary preview URLs](/docs/hosting/test-preview-deploy).\n\n- When an environment doesn't need to be persisted and is only being used by one\n person (or in the case of tests, by one machine) use the\n [Firebase Local Emulator Suite](/docs/emulator-suite). These emulators are safer\n and faster because they can work entirely on localhost instead of using cloud\n resources.\n\n- Make sure that you have [Firebase Security Rules](/docs/rules) set up in pre-production\n environments, just as you do in prod. In general, the Rules should\n be the same across environments, with the caveat that since rules change with\n code, there may be rules earlier in the pipeline that don't yet exist in\n production.\n\nSecurity for production environments\n\nProduction data is always a target, even if the app is obscure. Following these\nguidelines doesn't make it impossible for a malicious actor to get your data,\nbut it makes it more difficult:\n\n- Enable and enforce [App Check](/docs/app-check) for all the products\n you're using that support it. App Check makes sure that requests to your\n backend services are coming from your genuine apps. In order to use it, you\n need to register each version of your app with App Check. It's easier to\n set up before you have users, so set it up as soon as possible.\n\n- Write robust [Firebase Security Rules](/docs/rules). Realtime Database, Cloud Firestore, and\n Cloud Storage all rely on developer-configured Rules to\n enforce who should and shouldn't be able to access data. It's essential to\n your security that you write good Rules. If you're not sure how,\n start with this [codelab](/codelabs/firebase-rules).\n\n- Review the [*Security checklist*](/support/guides/security-checklist) for more\n recommendations about security for production environments.\n\nNext steps\n\n- Review the [Firebase launch checklist](/support/guides/launch-checklist)."]]