Couldn't someone use my API keys to run an instance publicly and spam me with accounts? If I remove localhost as an accepted incoming address, then I can't do anything locally.
Asked
Active
Viewed 249 times
0
-
https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Octo Aug 24 '17 at 14:35
-
They can create accounts indeed. While those accounts are admittedly annoying in the authentication console, they're not a security risk. – Frank van Puffelen Aug 24 '17 at 15:09
-
+1 to what Frank said. Anyone can simply go to some site (not necessarily using Firebase Auth) and keep creating random accounts manually. There is nothing you can do to completely stop that. You can always clean up unused accounts. There are Firebase Function samples on GitHub that help you do that. – bojeil Aug 25 '17 at 02:27