2

Firebase must be initialized with some configuration that tells the location of storage, database etc..

var config = { ... }
firebase.initializeApp(config);

But because this is not done on server side, it is easily visible to all. Of course, you could write database security rules to not allow unintented users to access data but what if we don't want to show the config info at all?

Here is a little web app buillt with Firebase - Tic Tac Tic Tac Toe, if you see it's source code, you will not see any config information but it does use Firebase, I tried looking in all JS Files to see if the info is there but I can't find it. On line #41 in client.js file under js folder is a reference to database:

$scope.rootRef = new Firebase("https://tic-tac-tic-tac-toe.firebaseio.com/");

That's all is present in the JS files as far as I know, there is no API key which is a requirement and not optional.

#AskFirebase
gegobyte
  • 4,945
  • 10
  • 46
  • 76
  • That site is made in the old version of firebase. Thats why the initialisation of the firebase connection is different. [firebase upgrade guide](https://firebase.google.com/support/guides/firebase-web#get_a_database_reference_numbered) showing the difference. – André Kool Aug 08 '16 at 17:54
  • The configuration data is not meant to be a secret, you can safely put it in your web app. In fact: it is required for the app to be able to find its Firebase project on the server. See http://stackoverflow.com/questions/37482366/what-is-the-firebase-apikey-for – Frank van Puffelen Aug 08 '16 at 18:22

0 Answers0