0

I would like to use Firebase as part of a React app that I am building. According to Add Firebase to your JavaScript Project we should add the following to a node.js project:

// Initialize Firebase
// TODO: Replace with your project's customized code snippet
var config = {
  apiKey: "<API_KEY>",
  authDomain: "<PROJECT_ID>.firebaseapp.com",
  databaseURL: "https://<DATABASE_NAME>.firebaseio.com",
  storageBucket: "<BUCKET>.appspot.com",
};
firebase.initializeApp(config);

  1. Is it a security risk to have the API_KEY and PROJECT_ID in a public Git repository?

  2. When using the Firebase CLI a .firebaserc is created in JSON format, which contains the PROJECT_ID. Is it a security risk to have this in a public Git repository?

Is it safe to expose Firebase apiKey to the public? discusses exposing the API key to the public but doesn't mention Git or the Project ID.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
David
  • 4,191
  • 2
  • 31
  • 40
  • with only the `API_KEY` and `PROJECT_ID`, can you delete stuff from the firebase database? – azium Aug 25 '18 at 07:34
  • I have edited my question to state why I think this is different. – David Aug 25 '18 at 09:11
  • It is not a security risk. But common opinion seems to not store this configuration in version control, since each developer should have their own project for developing. See https://stackoverflow.com/questions/37358340/should-i-add-the-google-services-json-from-firebase-to-my-repository (for Android), https://stackoverflow.com/questions/44937175/firebase-should-i-add-googleservice-info-plist-to-gitignore (for iOS). Since the meaning of the configuration data is the same across platforms, I'd follow the same guidance for web. See this for an (old) example: https://stackoverflow.com/q/36711729/ – Frank van Puffelen Aug 25 '18 at 14:07
  • Thanks for the comment. My take away is not to store the development configuration (ie any Firebase project that has localhost as an authorised domain) in version control. – David Aug 25 '18 at 18:55
  • I still think this question adds value. So, it would be nice if someone could remove the duplicate flag :) – David Aug 25 '18 at 18:56

0 Answers0