0

I am exploring Google Firestore for web and I have a basic question. According to the integration guide I am supposed to place the API Key and other configuration values in the client JavaScript code. But, since this code is public, anyone who are using my web app will be able to see this API key.

In that case, won’t they be able to insert any data into the fire store by using my API KEY in some other web app? How do I make sure only my web app will be able to insert data into my fire store?

Veera
  • 32,532
  • 36
  • 98
  • 137
  • They API key in the web page is not a security mechanism. It literally just serves to find your Firebase project on the servers, pretty much how a URL allows finding the correct web site in many hosting systems. See my answer here: https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Frank van Puffelen May 30 '18 at 23:39
  • To secure your database, you use a combination of authentication (i.e. Firebase Authentication) and server-side authorization (e.g. through [Firestore security rules](https://firebase.google.com/docs/firestore/security/overview)). That way, even if somebody copies your configuration data into another site, they will still have to identify themselves and adhere to your rules. – Frank van Puffelen May 30 '18 at 23:40
  • Thank you! That answers lot of my questions! – Veera May 30 '18 at 23:56

0 Answers0