向公众公开Firebase apiKey是否安全？ [英] Is it safe to expose Firebase apiKey to the public?

问题描述

Firebase Web应用指南声明我应该将给定的apiKey我的Html初始化firebase：

$ t $ p $ t $ T $替换你的项目的自定义代码片段
< script src = https://www.gstatic.com/firebasejs/3.0.2/firebase.js\"></script>
< script>
//初始化Firebase
var config = {
apiKey：'< your-api-key>'，
authDomain：'< your-auth-domain>'，
databaseURL：'< your-database-url>'，
storageBucket：'< your-storage-bucket>'
};
firebase.initializeApp（config）;
< / script>

通过这样做，apiKey就会暴露给每个访问者。这个键的目的是什么，它真的是公开的？

解决方案

apiKey本质上标识您的Firebase项目。有人知道这不是安全风险。事实上，为了让他们与您的Firebase项目进行交互，他们必须了解它。

从这个意义上讲，它与数据库URL非常相似Firebase历来被用于识别后端： https：//< app-id> .firebaseio.com 。看看这个问题为什么这不是一个安全风险：如何限制Firebase数据修改？ / a>

The firebase Web-App guide states i should put the given apiKey in my Html to initialize firebase:

// TODO: Replace with your project's customized code snippet
<script src="https://www.gstatic.com/firebasejs/3.0.2/firebase.js"></script>
<script>
  // Initialize Firebase
  var config = {
    apiKey: '<your-api-key>',
    authDomain: '<your-auth-domain>',
    databaseURL: '<your-database-url>',
    storageBucket: '<your-storage-bucket>'
  };
  firebase.initializeApp(config);
</script>

By doing so the apiKey is exposed to every visitor. What is the purpose of that key and is it really meant to be public?

解决方案

The apiKey essentially identifies your Firebase project. It is not a security risk for someone to know it. In fact, it is necessary for them to know it, in order for them to interact with your Firebase project.

In that sense it is very similar to the database URL that Firebase has historically been used to identify the back-end: https://<app-id>.firebaseio.com. See this question on why this is not a security risk: How to restrict Firebase data modification?

这篇关于向公众公开Firebase apiKey是否安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！