3

I just finished setting up a small web interface showing data contained in a Firebase database of mine. It displays the data I want and also allows me to go and do some changes if needed.

One issue is still left there though. It is possible for any user to check the page source and have access to information like:

.....

var config = {
  apiKey: ".........",
  authDomain: "..........firebaseapp.com",
  databaseURL: "..........firebaseio.com",
  projectId: ".........",
  storageBucket: "..........appspot.com",
  messagingSenderId: "........."
};

firebase.initializeApp(config);

.....

I don't think this is what I want. So the question is: what is the best way to hide this kind of information from public eyes?

Or there may be just no need to hide it? According to some post I read that may actually be the case. I just want to comfirm that things haven't changed with recent versions of Firebase.

Thanks is advance for any relevant tip.

As a reference:

Here are some post talking about this subject:

  1. Is it safe to expose Firebase apiKey to the public?

  2. https://groups.google.com/forum/#!topic/firebase-talk/-u2wBWSETds

  3. http://grokbase.com/t/gg/firebase-talk/165q6wryye/firebase-how-to-hide-the-apikey-authdomain-in-the-web-app

This other post seems to have a different vue though:

Community
  • 1
  • 1
Michel
  • 10,303
  • 17
  • 82
  • 179
  • Hi Michel. Could you also link the "*some post*" where you read that there's no need to hide it? (Might be that the source itself is already reliable and we could confirm it from there). But AFAIK, if the credentials being shown doesn't really have risks where users might be able to use the service with no auth, then it should be fine. Cheers! :) – AL. May 11 '17 at 06:34
  • Hi AL. I just edited my post to add a few links. Please take a look. – Michel May 14 '17 at 08:38
  • Hi Michel. Sorry wasn't able to get back to you sooner. The 1st post you linked (an answer I upvoted too way before) is already a ***highly reliable answer***. In the other post that you said it says a *different vue* from the same user, I think it is referring to a different API key, one that is used for authorization/authentication when using an API (e.g. the [Server Key](https://firebase.google.com/docs/cloud-messaging/concept-options#credentials) for FCM). – AL. May 19 '17 at 11:22

0 Answers0