firebase-securityjavascript-security

How to initialize firestore without exposing the config?


Am wondering if there's a way to not expose the apiKey, authDomain and projectId when using the JavaScript SDK based on the examples here: https://firebase.google.com/docs/firestore/quickstart#initialize

// Initialize Cloud Firestore through Firebase
firebase.initializeApp({
  apiKey: '### FIREBASE API KEY ###',
  authDomain: '### FIREBASE AUTH DOMAIN ###',
  projectId: '### CLOUD FIRESTORE PROJECT ID ###'
});

var db = firebase.firestore();

Would other people be able to initialize firestore with my configs if they're exposed?


Solution

  • There is no security risk if someone can get that data from your project. They can't do anything with them to harm you and your App. Anyone who wants to connect to your project would need that information. There is a great answer to that from Puf.

    With App Check you can limit access to your Firebase project only from sourced linked to it like Android, iOS and Web Apps.