3

I am new to web development and by inspecting my website's source code through Chrome, for instance, I am able to see all the files, from HTML to js files that have API keys used to communicate with Firebase. Of course, this information shouldn't be public, so how do I hide it??

I am using Firebase Firestore for the database and Firebase Hosting to host the website.

rgoncalv
  • 5,825
  • 6
  • 34
  • 61
  • 2
    You can't. You can obfuscate, but even that won't prevent code or keys being taken. If corporations could prevent users from examining their HTML/CSS/JS, one might expect every corporation would do just that, but they don't. –  May 25 '18 at 16:45
  • 2
    You can't. The only thing you can do is restrict API access to your domain in Firebase. The API key is expected to be public when it's used from the client side. – Derek 朕會功夫 May 25 '18 at 16:45
  • The only thing you can do is obfuscating your code, but you would only make it more difficult for people to find your key. – Deblaton Jean-Philippe May 25 '18 at 16:47
  • 1
    https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Jaime Gómez May 25 '18 at 16:52

3 Answers3

5

Client-side code is called "client-side" for a reason. You make a request from the client and the server responds. That response is delivered to the client and the client then parses the results. There is nothing you can do to hide or encrypt the response because, if you did, the client couldn't parse it.

Any/all proprietary code should be stored and executed on the server using one of the many server-side architectures (.php, ASP.NET, Java, etc.).

Scott Marcus
  • 64,069
  • 6
  • 49
  • 71
1

You could minify/uglify/obfuscate your files.

http://javascript2img.com/

http://www.differencebetween.info/difference-between-minification-and-obfuscation

Máster
  • 981
  • 11
  • 23
  • Do you think the devs from this website did this? The source code looks pretty much "encrypted" https://www.quintoandar.com.br/alugar/imovel/pinheiros-sao-paulo-sp-brasil/ – rgoncalv May 27 '18 at 12:15
  • @rgoncalv , I just suggested an option. – Máster May 28 '18 at 15:20
-3

Dont include those files in public ( Dont use public folder) ... Serve the file inside the route. using sendfile().

humanity wins the race
  • 9
  • 4
  • 1
    You need the client files to be public for the browser to render it. You've reference a function `sendfile()` without any clarification. – Matt Shirley May 25 '18 at 17:21