Is it safe to expose Firebase apiKey to the public

Question

The Firebase Web-App guide states I should put the given apiKey in my Html to initialize Firebase      TODO  Replace with your project s customized code snippet  lt script src  https   www gstatic com firebasejs 3 0 2 firebase js  gt  lt  script gt   lt script gt       Initialize Firebase   var config         apiKey    lt your-api-key gt        authDomain    lt your-auth-domain gt        databaseURL    lt your-database-url gt        storageBucket    lt your-storage-bucket gt          firebase initializeApp config    lt  script gt    By doing so  the apiKey is exposed to every visitor  What is the purpose of that key and is it really meant to be public

User · Answer

After reading this and after I did some research about the possibilities, I came up with a slightly different approach to restrict data usage by unauthorised users:

I save my users in my DB too (and save the profile data in there). So i just set the db rules like this:

".read": "auth != null && root.child('/userdata/'+auth.uid+'/userRole').exists()",
".write": "auth != null && root.child('/userdata/'+auth.uid+'/userRole').exists()"

This way only a previous saved user can add new users in the DB so there is no way anyone without an account can do operations on DB. also adding new users is posible only if the user has a special role and edit only by admin or by that user itself (something like this):

"userdata": {
  "$userId": {
    ".write": "$userId === auth.uid || root.child('/userdata/'+auth.uid+'/userRole').val() === 'superadmin'",
   ...

User · Answer

The API key exposure creates a vulnerability when user password sign up is enabled  There is an open API endpoint that takes the API key and allows anyone to create a new user account  They then can use this new account to log in to your Firebase Auth protected app or use the SDK to auth with user pass and run queries   I ve reported this to Google but they say it s working as intended   If you can t disable user password accounts you should do the following  Create a cloud function to auto disable new users onCreate and create a new DB entry to manage their access   Ex  MyUsers  userId  Access  0    exports addUser   functions auth user   onCreate onAddUser   exports deleteUser   functions auth user   onDelete onDeleteUser     Update your rules to only allow reads for users with access   1   On the off chance the listener function doesn t disable the account fast enough then the read rules will prevent them from reading any data

User · Answer

EXPOSURE OF API KEYS ISN T A SECURITY RISK BUT ANYONE CAN PUT YOUR CREDENTIALS ON THEIR SITE  Open api keys leads to attacks that can use a lot resources at firebase that will definitely cost your hard money  You can always restrict you firebase project keys to domains   IP s  https   console cloud google com apis credentials key select your project Id and key and restrict it to Your Android iOs web App

User · Answer

The apiKey in this configuration snippet just identifies your Firebase project on the Google servers  It is not a security risk for someone to know it  In fact  it is necessary for them to know it  in order for them to interact with your Firebase project  This same configuration data is also included in every iOS and Android app that uses Firebase as its backend  In that sense it is very similar to the database URL that identifies the back-end database associated with your project in the same snippet  https    lt app-id gt  firebaseio com  See this question on why this is not a security risk  How to restrict Firebase data modification   including the use of Firebase s server side security rules to ensure only authorized users can access the backend services  If you want to learn how to secure all data access to your Firebase backend services is authorized  read up on the documentation on Firebase security rules  These rules control access to file storage and database access  and are enforced on the Firebase servers  So no matter if it s your code  or somebody else s code that uses you configuration data  it can only do what the security rules allow it to do  For another explanation of what Firebase uses these values for  and for which of them you can set quotas  see the Firebase documentation on using and managing API keys   If you d like to reduce the risk of committing this configuration data to version control  consider using the SDK auto-configuration of Firebase Hosting  While the keys will still end up in the browser in the same format  they won t be hard-coded into your code anymore with that

User · Answer

Building on the answers of prufrofro and Frank van Puffelen here  I put together this setup that doesn t prevent scraping  but can make it slightly harder to use your API key  Warning  To get your data  even with this method  one can for example simply open the JS console in Chrome and type  firebase database   ref  quot  get all the data quot   once  quot value quot   function  data        console log data val          Only the database security rules can protect your data  Nevertheless  I restricted my production API key use to my domain name like this   https   console developers google com apis Select your Firebase project Credentials Under API keys  pick your Browser key  It should look like this   quot Browser key  auto created by Google Service  quot  In  quot Accept requests from these HTTP referrers  web sites  quot   add the URL of your app  exemple  projectname firebaseapp com      Now the app will only work on this specific domain name  So I created another API Key that will be private for localhost developement   Click Create credentials  gt  API Key  By default  as mentioned by Emmanuel Campos  Firebase only whitelists localhost and your Firebase hosting domain   In order to make sure I don t publish the wrong API key by mistake  I use one of the following methods to automatically use the more restricted one in production  Setup for Create-React-App In  env development  REACT APP API KEY    dev-key     In  env production  REACT APP API KEY    public-key     In  src index js const firebaseConfig       apiKey  process env REACT APP API KEY

User · Answer

I am not convinced to expose security config keys to client  I would not call it secure  not because some one can steal all private information from first day  because someone can make excessive request  and drain your quota and make you owe to Google a lot of money    You need to think about many concepts from restricting people not to access where they are not supposed to be  DOS attacks etc    I would more prefer the client first will hit to your web server  there you put what ever first hand firewall  captcha   cloudflare  custom security in between the client and server  or between server and firebase and you are good to go  At least you can first stop suspect activity before it reaches to firebase  You will have much more flexibility   I only see one good usage scenario for using client based config for internal usages  For example  you have internal domain  and you are pretty sure outsiders cannot access there  so you can setup environment like browser -  firebase type

User · Answer

I am making a blog website on github pages  I got an idea to embbed comments in the end of every blog page  I understand how firebase get and gives you data  I have tested many times with project and even using console  I am totally disagree the saying vlit is vulnerable  Believe me there is no issue of showing your api key publically if you have followed privacy steps recommend by firebase  Go to https   console developers google com apis and perfrom a security steup

User · Answer

It is oky to include them  and special care is required only for Firebase ML or when using Firebase Authentication  API keys for Firebase are different from typical API keys  Unlike how API keys are typically used  API keys for Firebase services are not used to control access to backend resources  that can only be done with Firebase Security Rules  Usually  you need to fastidiously guard API keys  for example  by using a vault service or setting the keys as environment variables   however  API keys for Firebase services are ok to include in code or checked-in config files    Although API keys for Firebase services are safe to include in code  there are a few specific cases when you should enforce limits for your API key  for example  if you re using Firebase ML or using Firebase Authentication with the email password sign-in method  Learn more about these cases later on this page   For more informations  check  the offical docs

User · Answer

I believe once database rules are written accurately  it will be enough to protect your data  Moreover  there are guidelines that one can follow to structure your database accordingly  For example  making a UID node under users  and putting all under information under it  After that  you will need to implement a simple database rule as below      rules          users             uid               read    auth    null  amp  amp  auth uid     uid             write    auth    null  amp  amp  auth uid     uid                        No other user will be able to read other users  data  moreover  domain policy will restrict requests coming from other domains   One can read more about it on  Firebase Security rules

User · Answer

You should not expose this info  in public  specially api keys  It may lead to a privacy leak   Before making the website public you should hide it  You can do it in 2 or more ways   Complex coding hiding Simply put firebase SDK codes at bottom of your website or app thus firebase automatically does all works  you don t need to put API keys anywhere

[javascript] Is it safe to expose Firebase apiKey to the public?

Examples related to javascript

Examples related to firebase