0

I have been messing around with Firebase in a web app and realized there's something I don't understand.

In order for the JS code to send data to the Firebase servers, your apiKey has to be in the JS. But then that means your API key is public, and anyone using your website can inspect the code and just send arbitrary commands to Firebase on your behalf from the dev tools, or from any other site now that they have the API key.

I know I must be missing something, since this would make Firebase not useful. What is it I'm missing? What prevents users from sending arbitrary commands to Firebase with your ApiKey?

temporary_user_name
  • 35,956
  • 47
  • 141
  • 220
  • *"What prevents users from sending arbitrary commands to Firebase with your ApiKey?"* - security rules. – Doug Stevenson Apr 29 '20 at 07:26
  • Damn, you're all over the firebase tag around here. Thank you. I'm reading more about that now. Hard to imagine how I can simultaneously allow requests from a domain to access/modify data and simultaneously block requests from that domain (i.e. requests originating in the chrome dev tools for that domain) -- unless I'm mistaken and requests in the dev tools aren't treated the same....have to figure that out first maybe. – temporary_user_name Apr 29 '20 at 07:29

0 Answers0