0

I have a server.js file that is hidden from the client when using heroku. If I put my firebase.init {} in there and assign the variables to environmental variables on heroku (securely); can I just leave the security rules as true? The user doesn't have access to the credentials, so it sorta makes it safe right?

Thanks.

KneeHowMa
  • 19
  • 5

1 Answers1

1

You can't really hide your initialization object. All you can do is obfuscate it. It will have to somehow end up on the client, which will be readable by anyone, and can therefore be reverse engineered. This is not a good substitute for good security rules.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • what if I were to use socket.io to emit a request from the client to the server in order to make changes to database or perform a function? Wouldn't this technically work as all the credentials are hidden (heroku environmental variables) and the user doesn't have any access to obscuring the firebase database? Like the socket.emit is all they can use, so how would they be able to view/see anything? Sorry if I might be challenging, just wondering if this could possibly be a viable option. Thanks for your reply! – KneeHowMa May 24 '20 at 22:47
  • I answered that already on your previous question: https://stackoverflow.com/questions/61980724/firebase-auth-are-my-variables-secure-safe – Frank van Puffelen May 24 '20 at 22:50
  • that was relating to how I was sending something from server to client. The scenario above is client to server. What I am trying to say is, if a client is able to write the database but the firebase initialisation is on the server, are they still able to obscure the firebase database? Because technically, they only see socket.emit('request') from client and nothing else, or am I wrong? – KneeHowMa May 24 '20 at 22:57