Security #48
Comments
|
Yes, that's true. However, the Firebase credentials are supposed to be used in client applications. That's why you can restrict the domains in your Firebase console to your own domain. Then no one else can use it. Does it make sense? |
|
There are a number of scenarios I can think of. If your web pages are hosted on Firebase then I believe you can restrict access to your domain so the api key and project id are not enough for someone to hack into your service. The other options below assume you do not use Firebase hosting. If you use OAUTH your permitted callback URLs will restrict access to the service although many developers will include localhost to facilitate development so that isn't safe. If you just use account and password authentication I don't think that is safe. I guess the recommendation is to use Firebase hosting and restrict the domain |
Really great article! One concern I have is that (e.g. on Safari you can view the source using the Develop Menu -> Show Page Source) anyone can read your Firebase configuration details e.g. api key and project id. Is this enough information to allow people to hack into your Firebase service?
The text was updated successfully, but these errors were encountered: