1

At the moment I have a website hosted on GitHub pages which uses firebase. This has my API key publicly available. How do I add an extra layer of security to stop it from being shown?

An idea:

Currently

FIREBASE <------------> USER

Maybe more secure

FIREBASE <-------> SERVER <-------> USER This would only let the user get info from firebase if the server approves it and gives data to the user.

If the second option is the way to go, which server provider would you recommend?

Benjamin Sommer
  • 1,058
  • 3
  • 15
  • 35
  • **Knowing your public Firebase API key is not a security risk.** See https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public. Knowing the API key is necessary for your app to be able to access some (but not all) Firebase products. Adding an indirection merely adds an extra step. As long as the key is *used* in your client-side code (which is needed if said code accesses those Firebase products that require it), user can get it from there. – Frank van Puffelen Mar 15 '18 at 18:25
  • Also read: https://www.quora.com/Is-it-dangerous-if-one-knows-the-values-of-my-Firebase-configuration-Every-person-can-read-the-source-code-of-my-Angular-5-app-in-the-front-end/answer/Doug-Stevenson-1 – Doug Stevenson Mar 15 '18 at 18:29
  • Btw: if you prefer having the level of indirection, consider [hosting on Firebase Hosting and using its auto-configuration](https://firebase.googleblog.com/2017/04/easier-configuration-for-firebase-on-web.html). It's still equally secure, just more convenient without having to explicitly specify the configuration data. :-) – Frank van Puffelen Mar 15 '18 at 18:35

0 Answers0