Is exposing the API Key from Firebase at url/firebase-messaging-sw.js a security risk?

Question

I've noticed that the API Key of Firebase can be easily accessed on the website I'm managing through url + firebase-messaging-sw.js. I've got mixed answers online when searching for this issue. Is this a security issue I should be concerned about? If so, how can I block access to this URL?

I've searched about the problem and got mixed kind of answers. So far, I don't know if it is a security issue, if blocking access to this URL will affect other things like notifications, or how would I block it in the first place.

score 0 · Accepted Answer · answered Nov 08 '22 at 23:21

0

The API key is safe to share. Puf has answered this in this stack overflow post.

The reason is that direct database access is the desired outcome in Firebase and security is implemented server side through the use of security rules.

answered Nov 08 '22 at 23:21

Alexander N.

1,458
14
25

Is exposing the API Key from Firebase at url/firebase-messaging-sw.js a security risk?

1 Answers1