This repository has been archived by the owner on May 20, 2020. It is now read-only.
fix: firebase config keys exposed to public #270
Assignees
Labels
category:dev-ops
help wanted
Extra attention is needed.
priority:p1
type:task
Tasks are the actions that make up epics.
Milestone
Comments
|
Good idea! We'll work on this right away. |
nicholaschiang
added
category:dev-ops
help wanted
nicholaschiang
changed the title
|
According to the Firebase team themselves, exposing the API key is not a risk. This project seems to run Firebase in a node.js client side app, so the API key will be compiled into plain text in the client side js file, even if it is hidden in the source code. Sure it's easier for maintenance if the API is stored in ENV, but the actual data safe guard relies on GAPI auth to verify user and security setting on the database. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hello there, great product.
I have a security concern regarding your Firebase configuration and your API keys. Performing a basic search query for "apiKey", I found 176 results for "apiKey" location within the tutorbook repo, which is very concerning.
My recommendation would be to move these configuration details to environment variables so that they aren't publicly visible and available on the public code repository.
The text was updated successfully, but these errors were encountered: