Question
The Firebase Web-App
guide
states I should put the given apiKey
in my Html to initialize Firebase:
// TODO: Replace with your project's customized code snippet
<script src="https://www.gstatic.com/firebasejs/3.0.2/firebase.js"></script>
<script>
// Initialize Firebase
var config = {
apiKey: '<your-api-key>',
authDomain: '<your-auth-domain>',
databaseURL: '<your-database-url>',
storageBucket: '<your-storage-bucket>'
};
firebase.initializeApp(config);
</script>
By doing so, the apiKey
is exposed to every visitor.
What is the purpose of that key and is it really meant to be public?
Answer
The apiKey
in this configuration snippet just identifies your Firebase
project on the Google servers. It is not a security risk for someone to know
it. In fact, it is necessary for them to know it, in order for them to
interact with your Firebase project. This same configuration data is also
included in every iOS and Android app that uses Firebase as its backend.
In that sense it is very similar to the database URL that identifies the back-
end database associated with your project in the same snippet: https://<app- id>.firebaseio.com
. See this question on why this is not a security risk:
[How to restrict Firebase data
modification?](https://stackoverflow.com/questions/35418143/how-to-restrict-
firebase-data-modification), including the use of Firebase's server side
security rules to ensure only authorized users can access the backend
services.
If you want to learn how to secure all data access to your Firebase backend services is authorized, read up on the documentation on Firebase security rules. These rules control access to file storage and database access, and are enforced on the Firebase servers. So no matter if it's your code, or somebody else's code that uses you configuration data, it can only do what the security rules allow it to do.
For another explanation of what Firebase uses these values for, and for which of them you can set quotas, see the Firebase documentation on using and managing API keys.
If you'd like to reduce the risk of committing this configuration data to version control, consider using the [SDK auto-configuration of Firebase Hosting](https://firebase.google.com/docs/hosting/reserved-urls#sdk_auto- configuration). While the keys will still end up in the browser in the same format, they won't be hard-coded into your code anymore with that.
Update (May 2021): Thanks to the new feature called Firebase App Check, it is now actually possible to limit access to the backend services in your Firebase project to only those coming from iOS, Android and Web apps that are registered in that specific project.
You'll typically want to combine this with the user authentication based security described above, so that you have another shield against abusive users that do use your app.
By combining App Check with security rules you have both broad protection against abuse, and fine gained control over what data each user can access, while still allowing direct access to the database from your client-side application code.