As per this answer, it is not a security risk to publicly expose your firestore api key, however, as later answers to that question pointed out, people can make excessive requests with it and drain your quota. Does firestore have any features to prevent excessive requests? If not, why do the docs show examples such as this that tell you to put all your config, including apiKey, in client side JavaScript?
Asked
Active
Viewed 925 times
6
-
I answered your question below. Aside from that, it seems that you're mostly worried about security risks of exposing something that you consider private keys. You should think of these values as configuration data that is needed for your app to find its data on Google's servers. Similar to how you know to type `stackoverflow.com` in the address bar of your browser to post a question, the configuration data is what your app needs to access your Firebase project. In both cases, you'll typically add authentication (signing in) and authorization (rules on who can do what). – Frank van Puffelen Jun 24 '18 at 15:11
-
So requests are not counted against your quota if they come from a user that is not signed in. Even if they do, Firebase has ways of detecting that abuse. – georgiaboy82 Jun 29 '18 at 00:57
1 Answers
6
Firebase monitors for abuse. If you think your database is seeing undetected abuse, reach out to Firebase support for personalized help in troubleshooting.
Frank van Puffelen
- 565,676
- 79
- 828
- 807
-
6I do not fully understand that, so if someone gets my credentials and calls 1 Million Reads just to drain my Quota, what would happen then? Thanks in advance - a worried firestore user – niclas_4 Jun 27 '19 at 22:39
-
One good form of protection is to put the 3rd party API calls behind your own API (backend, server or function) and use that instead. This way you can do your own rate limiting and checks outside of control and view of the client (no exposed 3rd party API keys). Granted you still need to have a solid auth strategy for your own API, at least this gives you more control. – Damien Roche Oct 26 '22 at 16:33