Why Google Sheets needs a firewall

Google Sheets was designed for people, not APIs. When you connect it to a web app, you're opening a data channel that wasn't built with web security in mind. Three things go wrong almost immediately:

🔴

Credential exposure. The Google Sheets API requires a service account key — a JSON file with full read/write access. If you call the API directly from your frontend JavaScript, that key is visible to anyone who opens browser DevTools. They can then read or overwrite your entire Sheet.

⚠️

No rate control. The raw Sheets API has a quota of 300 requests per minute per project. Without per-user rate limiting, one misbehaving client — or a simple scripted attack — can exhaust your quota and block every other user.

⚠️

No input validation. Without validation, any data submitted through your frontend goes directly into the Sheet. Malformed values, oversized strings, and formula injection attacks (e.g. =IMPORTRANGE(...) in a cell) can corrupt your data silently.

The traditional fix is to build a backend server that holds the credentials, validates input, and proxies requests. Sheet_FireWall is that backend — already built, already deployed, already running between your app and your Sheet.

What Sheet_FireWall is

Sheet_FireWall is GSheetBridge's built-in security and routing layer. It runs on every single request your web app makes — before anything touches your Google Sheet.

Your App
Web App (React, Vue, vanilla JS)
Calls gsb.read() or gsb.write() with your API key. Never handles Google credentials.
↓ every request ↓
FireWall
Sheet_FireWall — Auth · Validation · Rate Limit · Dedup
Intercepts every request. Authenticates, validates, rate-limits, and deduplicates before passing through.
↓ only clean requests ↓
Sheets
Your Google Sheet
Only receives authenticated, validated, deduplicated writes. Credentials stored server-side, never in the browser.

Sheet_FireWall is not a setting you turn on — it's always on, on every request, by default. There's no way to accidentally bypass it.

The 3 security layers explained

Sheet_FireWall operates across three distinct layers on every request. Here's exactly what each one does:

🔑
Layer 1 — API Key Authentication
Every request must carry a valid GSheetBridge API key. The key is verified against your registered account. Invalid or missing keys are rejected immediately with a 401 response — no Sheet access is attempted.
🔍
Layer 2 — Input Validation
All incoming data is checked for type correctness, length limits, and format compliance before any write occurs. Formula injection attempts (values starting with =, +, -, @) are sanitized automatically.
Layer 3 — Rate Limiting
API calls are counted per user against your plan quota (10,000/day on Starter). When the limit is reached, further requests return a 429 response with a retryAfter field. One abusive client can't exhaust the quota for others.
🌐
CORS Origin Control
Pro plan users can restrict which domains are allowed to send requests. Requests from unlisted origins are rejected before authentication even runs, preventing unauthorized sites from using your API key.
♻️
Deduplication
A 10-second dedup window prevents the same value from being written to the same cell twice. Double-clicks, browser retries, and network hiccups produce exactly one write — not many.
🔒
Credential Isolation
Your Google service account JSON key is stored in GSheetBridge's server infrastructure. It is never sent to the browser, never included in API responses, and never logged in a form readable by your frontend code.

How credentials are protected

This is the most important security property of Sheet_FireWall, so it's worth being explicit about.

When you register with GSheetBridge, a Google Sheet (your GSheet_Firewall) is automatically created in your Drive. A GSheetBridge service account is granted write access to it. That service account's credentials live on GSheetBridge's servers — not in your app, not in your HTML, not anywhere a browser can reach them.

Your web app only ever holds your GSheetBridge API key. This key:

Safe to include in frontend JavaScript. Your GSheetBridge API key can appear in your client-side code. If someone copies it, they can only access your Sheet through Sheet_FireWall — meaning they're still subject to rate limits, validation, and CORS restrictions.

Configuring Sheet_FireWall

Sheet_FireWall is configured through your GSheet_Firewall Google Sheet — the one automatically created in your Drive at registration. You don't write config files or deploy anything. You edit a spreadsheet.

The Config_GSB tab holds your settings:

Config_GSB sheet (A column) 
A1: your-api-key              ← your GSheetBridge USER_KEY
A2: https://us-central1-...    ← router URL (set automatically)

Additional configuration — rate limits, allowed origins, access scopes — is managed from your dashboard. Changes take effect on the next request with no redeployment required.

Generating a new secret

If you suspect your API key has been compromised, you can generate a new secret from the dashboard at any time. The old key is invalidated immediately — all requests using it will return a 401 until your app is updated with the new key.

JavaScript 
// Regenerate secret via API (requires token auth)
const response = await fetch(GSB_ROUTER, {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${idToken}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ action: 'generateNewSecret' })
});
const { secret } = await response.json();
// Store the new secret in your Apps Script properties

What a blocked request looks like

When Sheet_FireWall rejects a request, it returns a structured JSON error — never a raw Google API error. This makes it easy to handle in your frontend.

Authentication failure (invalid API key)

JSON response 
{
  "status": "Error",
  "message": "Invalid Key",
  "retryable": false
}

Rate limit exceeded

JSON response 
{
  "status": "Error",
  "message": "Limit Exceeded",
  "retryAfter": 60,
  "retryable": true
}

Deduplicated write (not an error — a success)

JSON response 
{
  "status": "Success: Cell Unchanged (dedup)",
  "dedup": true
}

The retryable field tells your app whether it's worth retrying. Rate limit errors are retryable after retryAfter seconds. Auth errors are not retryable — a key rotation is needed.

Frequently asked questions

What is Sheet_FireWall?

Sheet_FireWall is GSheetBridge's built-in security layer that sits between your web app and your Google Sheet. It handles API key authentication, input validation, rate limiting, deduplication, and CORS control on every request — without any code from you.

Does Sheet_FireWall expose my Google Sheets credentials?

No. Your Google service account credentials are stored server-side and never sent to the browser. Your frontend only ever handles your GSheetBridge API key, which has no direct Google API permissions.

Can I configure what Sheet_FireWall allows or blocks?

Yes. Rate limits, access scopes, and allowed origins are configurable from your dashboard. The Config_GSB tab in your GSheet_Firewall spreadsheet holds your core settings. Changes take effect immediately with no redeployment.

What happens if someone steals my API key?

They can still only access your Sheet through Sheet_FireWall — subject to your rate limits and CORS restrictions. Generate a new secret from your dashboard to invalidate the old key immediately. This is why keeping your Google service account credentials server-side matters: a stolen GSheetBridge key is far less damaging than a stolen Google service account key.

See Sheet_FireWall in action

Start your 30-day free trial — no credit card, full platform access from day one.

Start Building Free
More from the GSheetBridge blog
Tutorial
How to connect Google Sheets to a web app without a backend
Use Case
Google Sheets as a database: pros, cons, and when it makes sense
Comparison
GSheetBridge vs Google Sheets API: what is the difference?