• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

I Like Kill Nerds

The blog of Australian Front End / Aurelia Javascript Developer & brewing aficionado Dwayne Charrington // Aurelia.io Core Team member.

  • Home
  • Aurelia 2
  • Aurelia 1
  • About
  • Aurelia 2 Consulting/Freelance Work

Is It Safe/Okay To Public Expose Your Firebase API Key To The Public?

Firebase · January 24, 2020

Perhaps one of the most confusing aspects of building a publicly visible Firebase application hosted on GitHub is when you add in your SDK configuration details and commit them you’ll get warnings from a bot called Git Guardian and an email from Google themselves.

I am not sure if everyone gets these, but I do for every publicly visible Firebase application I have on GitHub.

The code in question that triggered these latest warnings for me looked like this:

const firebaseConfig = {
  apiKey: 'AIzaSyCz0wlgveUQ65qa8hs5A4kxPsrotOn_fSc',
  authDomain: 'binary-people.firebaseapp.com',
  databaseURL: 'https://binary-people.firebaseio.com',
  projectId: 'binary-people',
  storageBucket: 'binary-people.appspot.com',
  messagingSenderId: '617061139341',
  appId: '1:617061139341:web:c16aacb98727f9a68bf3c4',
  measurementId: 'G-3E37M44VBZ'
};

This is the code that you are provided when you add and configure your project in Firebase. It’s code you’re told to add into your application to configure the Firebase application.

Committing this resulted in the following messages.

The first one from GitGuardian:

And another from Google Cloud compliance

If you’re new to Firebase, these emails would terrify you. Rest assured, there is no problem with committing your Firebase configuration details for the client. These errors are warnings, they can’t tell the difference between public API keys and private ones. The one above simply identifies your website with Firebase servers, that’s it.

If your application has open security rules on your database, at worse, this just makes your application URL public and means someone could write to it if you do not have it locked down.

Dwayne

Leave a ReplyCancel reply

0 Comments
Inline Feedbacks
View all comments

Primary Sidebar

Popular

  • Handling Errors with the Fetch API
  • How To Get The Hash of A File In Node.js
  • How To Paginate An Array In Javascript
  • Thoughts on the Flipper Zero
  • Testing Event Listeners In Jest (Without Using A Library)

Copyright © 2023 · Dwayne Charrington · Log in

wpDiscuz