Is it safe to expose Firebase apiKey to the public? Ask Question

tag-icon tag-icon javascript firebase
Is it safe to expose Firebase apiKey to the public? Ask Question

The Firebase Web-App guide states I should put the given apiKey in my Html to initialize Firebase:

// TODO: Replace with your project's customized code snippet
<script src="https://www.gstatic.com/firebasejs/3.0.2/firebase.js"></script>
<script>
  // Initialize Firebase
  var config = {
    apiKey: '<your-api-key>',
    authDomain: '<your-auth-domain>',
    databaseURL: '<your-database-url>',
    storageBucket: '<your-storage-bucket>'
  };
  firebase.initializeApp(config);
</script>

By doing so, the apiKey is exposed to every visitor.

What is the purpose of that key and is it really meant to be public?

ベストアンサー1

From the Firebase documentation on using and managing API keys:

Firebase-related APIs use API keys only to identify the Firebase project or app, not for authorization to call the API (like some other APIs allow).

So the apiKey in your configuration snippet just identifies your Firebase project on the Google servers, but does on its own not allow access to it yet. It is not a security risk for someone to know it. In fact, it is necessary for them to know it, in order for them to interact with your Firebase project. This same configuration data is also included in every iOS and Android app that uses Firebase as its backend.

In that sense it is very similar to the database URL that identifies the back-end database associated with your project in the same snippet: https://<app-id>.firebaseio.com. See this question on why this is not a security risk: How to restrict Firebase data modification?, including the use of Firebase's server side security rules to ensure only authorized users can access the backend services.

If you want to learn how to secure all data access to your Firebase backend services is authorized, read up on the documentation on Firebase security rules. These rules control access to file storage and database access, and are enforced on the Firebase servers. So no matter if it's your code, or somebody else's code that uses you configuration data, it can only do what the security rules allow it to do.

For a longer explanation of what Firebase uses this configuration data for, and for which of them you can set quotas, see the documentation on using and managing API keys.

If you'd like to reduce the risk of committing this configuration data to version control, consider using the SDK auto-configuration of Firebase Hosting. While the keys will still end up in the browser in the same format, they won't be hard-coded into your code anymore with that.

Update (May 2021): Thanks to the new feature called Firebase App Check, it is now actually possible to limit access to the backend services in your Firebase project to only those coming from iOS, Android and Web apps that are registered in that specific project.

You'll typically want to combine this with the user authentication based security described above, so that you have another shield against abusive users that do use your app.

App Check をセキュリティ ルールと組み合わせることで、不正使用に対する広範な保護と、各ユーザーがアクセスできるデータのきめ細かな制御の両方を実現しながら、クライアント側のアプリケーション コードからデータベースへの直接アクセスも許可します。

おすすめ記事