The ability disable default domains
Sparky
shared this idea
-
Evgenii S commented
This is so frustrating. I think it might be a better time investment to get rid of firebase all together, because there is no way to use cloudflare properly on top of the default generated domains.
I use caching from cloudflare to avoid costs when my content is accessed, and with Firebase it is literally impossible because it the cloudflare can be bypassed so easily.
-
Good guy commented
No firewalls can be added to default domain, the default domain can be scanned and the database can be injected If no firewalls such as Cloudflare can be added to it
-
Quote: "Hi Support,
I understand, but giving a site a lengthy and random name is not resolving the case, same as robots.txt, which is for search engine robots only.
Because the loophole here is in the DNS lookup system, one can easily see the TXT records that contains the project name and therefore find the unprotected default domain name, especially when I am using the custom domain to connect to the firebase functions server. It generates extra costs If attacked and even data leakage when scanned by some tools If not protected by a firewall. How do I resolve this?
All in all, I do not want my proejct ID to be public and so as the default domains, because it cannot be protected by firewalls like Cloudflare and subject to DDOS attacks etc. Thanks." -
Anthony Boyd commented
Or at a minimum, add the ability to make them 301 (Permanently Moved) to the custom domain.