DEV Community

loading...

Discussion on: Firebase Functions: React users need to stop storing sensitive API keys in .env files!

Collapse
chrishbrown55 profile image
Christopher Brown 🤯

This is actually quite misleading. While it is possible to grab your API key from your site, it is 100% safe to leave this key in the open. It is a public key and the tutorials instruct you to do so.

The way to actually secure your real-time database or Firestore on Firebase is to set rules for accessing your database based on information such as request.userId or whether or not they've been granted access to a group. If you don't do this your server is very much still open to attack.

This being said, to do more complicated manipulation of your database, you should use Firebase functions, not because of your API key, but rather, because exposing your business logic to the world is dangerous and could be easily manipulated to provide different, potentially harmful, results.

Collapse
andersjr1984 profile image
andersjr1984 Author

I am talking about API keys that are meant to be private. I even discuss how the Firebase API key and some other publishable API keys are perfectly fine in client-side code. There are a couple of links in the post that justify leaving the Firebase API key on client-side code.