0

I want to hide firebase init code from my webapplication since this not secure for my firebase database, all information have in the init code so hacker can easily inject spam to my firebase database, here this the init

// Initialize Firebase
  // TODO: Replace with your project's customized code snippet
  var config = {
    apiKey: "<API_KEY>",
    authDomain: "<PROJECT_ID>.firebaseapp.com",
    databaseURL: "https://<DATABASE_NAME>.firebaseio.com",
    storageBucket: "<BUCKET>.appspot.com",
    messagingSenderId: "<SENDER_ID>",
  };
  firebase.initializeApp(config);

Can anyone please give me a solution for this?

ReyAnthonyRenacia
  • 17,219
  • 5
  • 37
  • 56
mdkamrul
  • 274
  • 1
  • 13
  • Since your web app is talking directly to the Firebase backend, it'll need the configuration data to do so. A common mistake is to think that these codes are secret, but they're actually just configuration data. See my answer here: https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public and Kato's answer here: https://stackoverflow.com/questions/18005984/how-to-prevent-other-access-to-my-firebase – Frank van Puffelen Feb 14 '18 at 07:24
  • @FrankvanPuffelen thanks for you quick reply, I want to do some clearance with you answer, can you let me know how this codes is secret? I think though a third can take this code from browser inspect and then use my database so this person can do inject spam easly to my database – mdkamrul Feb 14 '18 at 10:11
  • Any requirements on who can interact with your database and what they can do should be enforced on the server, not on the client. A simple way to do this is by using Firebase's server-side security rules, which both links I provided show more about. – Frank van Puffelen Feb 14 '18 at 11:56
  • @FrankvanPuffelen I meant it simple, as if someone get the code from browser inspect, then he can use my database init and inject unwanted spam to my tables, can you please give me a solution for this? – mdkamrul Mar 01 '18 at 14:17
  • To prevent them from doing that you'll want to write security rules, which Firebase enforces on the server. See https://firebase.google.com/docs/database/security/ – Frank van Puffelen Mar 01 '18 at 14:51

0 Answers0