2

I am working on a only-web flutter project and I am using Firebase Cloud Firestore. As you know, we need to add config files to "index.html" file in order to have a connection with firebase. My project is very simple, it has a form that takes input and stores it to the firestore. Everyone can use it without logging in.

My problem is: Everyone can inspect the page code and see the credentials in the config file.

Question is: Is it a problem? I don't want people to abuse the website by using the credentials or get access to my firebase project. If it is a problem, how can I hide it?

Thank you.

Mert Yerekapan
  • 23
  • 6

1 Answers1

4

There are no credentials in Firebase configurations. There are just configurations that tell code where to find your project and database. These configurations are effectively public information when you publish your app. There's nothing you can do to hide them completely.

If you are concerned about the security of data in Firestore, you will need to use security rules along with Firebase Authentication to indicate who is allow to read and write which parts of your database. It's not possible to secure the database to just a specific app or web domain, since the Firebase APIs are all effectively public APIs. Security rules are what make the database secure.

Also read: Is it safe to expose Firebase apiKey to the public?

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • 1
    Thank you so much for the clarification. I also checked the security rules but I guess if I don't ask for authentication, I can't set any rules. Would it be wise to ask for anonymous authentication, just to set up some rules? So I could block the spam (just in case) – Mert Yerekapan Jun 03 '20 at 16:40
  • That would be a good place to start, however, that doesn't prevent someone from simply using the Firebase Auth REST API to create a new anonymous account, and use its credentials to access the database. – Doug Stevenson Jun 03 '20 at 16:42