I have a firebase https function:

exports.updateDatabase = functions.https.onRequest((req, res) => {
  // ...
});

Which can be called via: https://us-central1-xxx-xxx.cloudfunctions.net/date

Does it mean that anyone with this url is able to update the database?

Is there a way to secure it when calling it from browser?

You can't stop the function from being invoked by anyone who knows the URL.

You can stop the function from doing something harmful by only allowing it to perform its intended action by requiring that an authenticated user call it, assuming you trust that user.

There is an example of requiring authentication in the official code samples here.