My landing page is a coming soon page with Call to Action of subscribing which takes in name, email address etc from the user. The user need not be authenticated to subscribe. He can be any random person who visits this page. I feel the rule should be ".read": false, ".write": true. But Google warns me saying write:true will allow anyone to write to the database even people who do not use the app.
I feel that this is only natural until I put a CAPTCHA or something. How are such issues tackled(spam prevention in subscription or coming soon pages which have forms)?
What you could do to prevent abuse only using security rules (it will not prevent all sorts of spam, for that you should go into captchas and other solutions), you could setup e-mail authentication on Firebase and request e-mail confirmation. Go under Authentication > Sign-in methods > Enable e-mail.
When you save the user e-mail and username on your database, you can create a "users" node in your database and save it under the user id Firebase assigns to the user.
Firebase will request a password, as you don't need users to be subscribed and you just need to keep their e-mail and password, just assign a mock password to all users.
It would look like this:
As you're just capturing e-mail and name for yourself and you don't need users to be authenticated, I don't see why you would give users write or read permissions. Just do the logic within your program to save this data.
Then your rules would look like this:
No user is allowed to read or write to your database as you're managing it yourself.