0
   var r = {
        apiKey: "blabla",
        authDomain: "rblabla",
        databaseURL: "blabla",
        projectId: "blabla",
        storageBucket: "",
        messagingSenderId: "blabla"
    };

My friend and I had a conversation over exposed firebase API, he has the API in the frontend site in minified js.

Is there any request that I can pull off in order to play with it, just wanna show him that its not the right thing to do. If yes, what is it? thank you

sheldonzy
  • 5,505
  • 9
  • 48
  • 86
sskumar
  • 31
  • 1
  • 5
  • In addition to Michael's great answer, also see my answer here: https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Frank van Puffelen Oct 03 '17 at 23:35

1 Answers1

2

If you're asking if it's safe to have your Firebase config values visible in your source code, the answer is yes; however, you must take advantage of Firebase's security rules.

Firebase is built to be consumed directly from untrusted clients -- the apiKey etc. are all values that are considered safe to disclose publicly. It is by writing security rules (for Cloud Storage, Cloud Firestore, or the Realtime Database) and integrating with Firebase Authentication that you can protect your data against unintended uses.

A corollary to this is that you must not consider your Firebase data safe just because you don't share the config strings. If you don't use security rules properly, someone can and will find a way to mess with your data and do things you don't want.

Michael Bleigh
  • 25,334
  • 2
  • 79
  • 85