0

Yesterday I got a notification from Google that my security rules for my Firebase database are not safe. I allowed everyone to read/write since the application is only used in a local environment. So I supposed the API key would be safe enough.

Am I correct, assuming that my database is safe, as long as no one else has the API key?

Reaz Murshed
  • 23,691
  • 13
  • 78
  • 98
Malaf
  • 43
  • 6
  • 1
    The API key that you include in your app/web page is *configuration* data only. It is not a security mechanism. See https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Frank van Puffelen May 02 '19 at 20:51

1 Answers1

0

If the API key is stored in a variable in one of your program files or in the local storage, then it can be decompiled to get your API key from your code or file system respectively. Hence it's better to update your security rules in Firebase and implement the basic user authentication mechanism so that you can prevent an attacker to modify your data.

For more information please look into the security rules overview from the Firebase documentation.

Reaz Murshed
  • 23,691
  • 13
  • 78
  • 98