A simple guide to Secure Firebase Project even when your API keys are Public
If you have ever used firebase services such as Authentication, Storage,etc you would be well aware of the Web Config Api’s provided by default by Google
As Google itself says in its docs:
The Firebase config object contains unique, but non-secret identifiers for your Firebase project.
Thus these API keys are not told to be protected or hidden from public consent, rather the API key alone should be restricted.
When these keys are left without having proper restriction on them any one on the internet can clone the app and create users by firebase Authentication service and any one can read or write to the project which is an absolute security concern.
To save the project from this kind of mess we can restrict the API keys itself, this was my approach for it.
Secure Firebase Authentication by preventing account login and creation of new users from any other website but yours
As mentioned anyone who has access to your firebase config keys can create users by cloning it locally. When a firebase project is created, it allows any HTTP referers(Website) to communicate with our project using the config keys, this is default for all the firebase projects. To change to default behaviour you can follow these steps.
- Login to your GCP console by visiting this link https://console.developers.google.com/apis
- Select your Firebase Project in top left corner and go to Credential tab on left
- From API key list select Browser key
- Default there would be no restriction on the API keys, Goto Application restrictions
- Select HTTP Referrers(website) and add your domains or website, you can use this to whitelist websites or domains which can have access to your firebase projects in other words websites which are allowed to manage login or create users.
- If you want to restrict specific URL (www.example.com/path), one domain and any URL with no subdomain(example.com/*), any URL in a single subdomain(sub.example.com/*), any subdomain or path URLs in a single domain(*.example.com/*).
- Save changes and try to create users locally, you would get the below kind of error.
That means no one can create or login users locally or by using any other domains. This also means even you cannot create or edit anything, as localhost is also blocked. To get through this you can test all the development stuff in a different project.
Protect Firebase Storage by Hardening Storage Rules
The above API restriction only applies to Firebase Authentication service only. Coming to Firebase Storage, all the operations and authorization is controlled by the rules you have set. By far having User Private rules for operations like write is said to be secure because the rules check the requests authID which is correspondent to the authID set when signing in .
These are some great articles for Firebase Storage rules and Securing it —
