0

I'm sorry if it's a duplicate question, but I haven't found any answers that answer my question.

I use firebaseConfig to initialize firebase in my app. As far as I know, there's no way to secure keys when using only client-side code so anyone may access my firebase config.

I've read about security rules. But what prevents bad guys from siging up in my app, copying my config, and starting local server, logining in and accessing database data?

I thought about authDomain, but it allows using localhost, even if I can prevent from sending requests from localhost, the app needs maintaining so it's required to use localhost from time to time.

So the questions is how to prevent from signin-up, and using firebase key on localhost.

By the way, is it secure enough to use stripe API payments without in my single page app?

Stanislau Buzunko
  • 1,630
  • 1
  • 15
  • 27
  • What do you mean *copying my config*? – Dravidian Oct 24 '16 at 11:55
  • `const config = { apiKey: '', authDomain: '', databaseURL: '', storageBucket: '' };` That's all that needed to initialize firebase in a project, and this info can be found in source code. Why can't you copy that config to your app to access database info? – Stanislau Buzunko Oct 24 '16 at 12:02
  • 1
    See Frank's Answer here:- http://stackoverflow.com/a/37484053/6297658 – Dravidian Oct 24 '16 at 13:30
  • Use Firebase's security rules to describe what operations are allowed on your data. If somebody builds an app that adheres to the security rules of your app, there is no way (but also no need) to distinguish it from your code. – Frank van Puffelen Oct 24 '16 at 14:06

0 Answers0