Should I hide firebase api keys into backend? Not due to data security but project cloning issue

前端 未结 2 640
余生分开走
余生分开走 2021-01-02 15:23

Can someone help me with firebase security questions?
Here\'s what I was try to figure out:

I understand that to let a client side interacting with my firebase

相关标签:
2条回答
  • 2021-01-02 16:18

    I've wondered something similar before, and found this handy article after a bit of searching. (The article itself is on mobile development, but there is a section addressing this specific question). The relevant section is titled "API Blockage by Domain and Package"

    The article explains it better than I can, and just in case the link ever goes down, I'll copy the text below for future viewer's references. This was written by Jorge Vergara on his website https://javebratt.com/hide-firebase-api/ last updated July 20, 2018.

    Another cool thing, if you go to your Google APIs account, you’ll see all of your Firebase projects, pick one, and in the Credentials Tab select your API key.

    If you’ve never messed with it, it should be called something like Browser key (auto created by Google Service), open it, and you’ll find options for key restriction:

    This key is unrestricted. To prevent unauthorized use and quota theft, restrict your key. Key restriction lets you specify which websites, IP addresses, or apps can use this key.

    There you can choose HTTP referrers (websites) and add your domain. This means that the Firebase database will only accept requests for people writing from that domain.

    Or Android apps and iOS apps, where you can add package name and fingerprints.

    For example:

    If you build myawesomeapp.com and add the domain in the HTTP referrers (websites) section, any attacker trying to connect from a different domain will get an error, and those requests will never make it to the database.

    The link he provided to access your Google APIs account is: https://console.developers.google.com/apis/credentials

    If you click on the link that says "Browser key (auto created by Google Service)" then you should see the "Application Restrictions" section towards the bottom, where you can select "HTTP Referrers"... clicking on that allows you to enter approved domains.

    0 讨论(0)
  • 2021-01-02 16:18

    There is no need to try to hide your API key. It is essentially public information, and a determined hacker will be able to get a hold of it no matter how hard you try to obfuscate it.

    A hacker doesn’t really stand to gain very much by getting your API key. It’s just a unique identifier for your project. If you want to secure your data in Realtime Database and Cloud Storage, you should use security rules along with Firebase Authentication to protect access to only the users who should have that access.

    0 讨论(0)
提交回复
热议问题