• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

I Like Kill Nerds

The blog of Australian Front End / Aurelia Javascript Developer & brewing aficionado Dwayne Charrington // Aurelia.io Core Team member.

  • Home
  • Aurelia 2
  • Aurelia 1
  • About
  • Aurelia 2 Consulting/Freelance Work

Is It Safe/Okay To Public Expose Your Firebase API Key To The Public?

Firebase · January 24, 2020

Perhaps one of the most confusing aspects of building a publicly visible Firebase application hosted on GitHub is when you add in your SDK configuration details and commit them you’ll get warnings from a bot called Git Guardian and an email from Google themselves.

I am not sure if everyone gets these, but I do for every publicly visible Firebase application I have on GitHub.

The code in question that triggered these latest warnings for me looked like this:

const firebaseConfig = {
  apiKey: 'AIzaSyCz0wlgveUQ65qa8hs5A4kxPsrotOn_fSc',
  authDomain: 'binary-people.firebaseapp.com',
  databaseURL: 'https://binary-people.firebaseio.com',
  projectId: 'binary-people',
  storageBucket: 'binary-people.appspot.com',
  messagingSenderId: '617061139341',
  appId: '1:617061139341:web:c16aacb98727f9a68bf3c4',
  measurementId: 'G-3E37M44VBZ'
};

This is the code that you are provided when you add and configure your project in Firebase. It’s code you’re told to add into your application to configure the Firebase application.

Committing this resulted in the following messages.

The first one from GitGuardian:

And another from Google Cloud compliance

If you’re new to Firebase, these emails would terrify you. Rest assured, there is no problem with committing your Firebase configuration details for the client. These errors are warnings, they can’t tell the difference between public API keys and private ones. The one above simply identifies your website with Firebase servers, that’s it.

If your application has open security rules on your database, at worse, this just makes your application URL public and means someone could write to it if you do not have it locked down.

Dwayne

Leave a Reply Cancel reply

0 Comments
Inline Feedbacks
View all comments

Primary Sidebar

Popular

  • How To Get The Hash of A File In Node.js
  • Testing Event Listeners In Jest (Without Using A Library)
  • Which Neural DSP Archetype Plugins Should You Buy?
  • Smoke Detector Randomly Goes Off Early Hours of The Morning
  • NBN Box Installed Inside of Garage, Where Do You Put The Modem?
  • How to Use Neural DSP Archetype Plugins With the Quad Cortex
  • How to Fast Launch Microsoft Flight Simulator 2020 (decrease game loading time)
  • How To Install Eufy Security Cameras Without Drilling or Using Screws
  • Perfectly Smoked Steak On A Charcoal BBQ Using Indirect Heat
  • Wild Natural Deodorant Review

Recent Comments

  • Thebe on How to Remove the My Sites Menu From the WordPress Admin Bar
  • Maccas worker jn the 2000s on Dear McDonald’s: bring back the Warm Cookie Sundae, you cowards
  • Anamika Singh on Testing Event Listeners In Jest (Without Using A Library)
  • Stefan on A List of WordPress Gutenberg Core Blocks
  • pandammonium on A List of WordPress Gutenberg Core Blocks

Copyright © 2022 · Dwayne Charrington · Log in

wpDiscuz