How can Next.JS help with security of a SPA react vite app.
Unanswered
Stony gall posted this in #help-forum
Stony gallOP
Hello there.
I am working on a SPA react vite app. the backend is firebase. I am using firebase for auth and firestore (database). most of my application's business logic is in the SPA itself to reduce cost so that it can scale horizontally via user's machine.
I have recently started thinking about its security. although all my backend data is secured via firebase rules and are behind auth, I am worreid that the fully build bundle of my app can be used by a bad actor to deploy a clone of my app by simply replacing the firebase configs and keys. the bad acdor will not need to reverse engineer my code. all he needs to do is inject his own firebase config.
so I am thinking about changing strategy.
1- Option 1: switching to nextjs to perform SSR and vend the final html file to clinet. this way, the business logic code will execute on the server. (downside: cost of the server, and cost of migrating from vite to nextjs)
Option 2: using cloud functions for business logic (downsides cost of cloud functions. cost of additional reads that CF needs to do on firestore because I wont be able to use my existing cached data on the client side using redux)
are there additional options that you can think of? what are your thoughts on my problem in general?
p.s: I have always been a backend dev and recently started to dip my toes into frontend. maybe this has a trivial answer I am not aware of.
I am working on a SPA react vite app. the backend is firebase. I am using firebase for auth and firestore (database). most of my application's business logic is in the SPA itself to reduce cost so that it can scale horizontally via user's machine.
I have recently started thinking about its security. although all my backend data is secured via firebase rules and are behind auth, I am worreid that the fully build bundle of my app can be used by a bad actor to deploy a clone of my app by simply replacing the firebase configs and keys. the bad acdor will not need to reverse engineer my code. all he needs to do is inject his own firebase config.
so I am thinking about changing strategy.
1- Option 1: switching to nextjs to perform SSR and vend the final html file to clinet. this way, the business logic code will execute on the server. (downside: cost of the server, and cost of migrating from vite to nextjs)
Option 2: using cloud functions for business logic (downsides cost of cloud functions. cost of additional reads that CF needs to do on firestore because I wont be able to use my existing cached data on the client side using redux)
are there additional options that you can think of? what are your thoughts on my problem in general?
p.s: I have always been a backend dev and recently started to dip my toes into frontend. maybe this has a trivial answer I am not aware of.