Securing Firebase API keys?

Does the Firebase integration with AppGyver require separate security to hide Firebase API keys?

I’ve yet to be able to find docs or similar questions regarding general security within AppGyver when it comes to the Firebase integration. I understand the Firebase security rules but is this enough to keep someone from being able to find my Firebase API keys in my build?

In the docs regarding API security it mentions that the best way to connect to an API is to set up a backend middleware that handles authentication. Is this what other people who are connecting backends, whether they’re Firebase or not, are doing in order to secure their apps?

Hi Alex,
you need to take care of your database by establishing the security rules; not trying to hide the API-key.

Have a look on the official firebase docs (Узнайте об использовании и управлении ключами API для Firebase):

  • Secure your database and Cloud Storage data by using Firebase Security Rules , not by restricting and/or obscuring your API keys”

I store my keys in my Firebase database and read them dynamically into an App variable during run-time. This way they are not stored in the build anywhere.

1 Like

Ahh, ok. Thanks for letting me know. I kept seeing people say that API keys will be exposed in the build and anyone could get at them and that this was bad practice. I didn’t realize that this was ok as long as you have security rules in place.

Thank you for letting me know!

Right, it’s bad practice to hard code the key in a Set App Variable or Set Page Variable function. I just read the key in from a database record, that way if the key were to ever need changing I can just change it in the database without requiring a new app build.

Got it. Thanks for the help!

Hi John, the keys are still available in browser network traffic with all info - even keys - Is it possible to hide, unless you use a proxy? I can view all my Firebase request and responses in the browser console even though I applied rules to restrict it to authenticated users. The refresh tokens expires in 1 hr but still its vulnerable.

It would be ideal if there was a way to encrypt/decrypt those keys coming across the network. I mainly just keep my server key stored on the database because I can auth-protect access to that database as needed, but also if the key needed to be changed, or did get compromised, then I could change it easily without needing to publish a new app build. Still, there is the issue of an un-encrypted server key coming across the network which is worrisome.

Absolutely. For any serious production app, a decent backend is needed between Firebase and Appgyver - mainly to manage security. Otherwise it’s way too risky.

I’m exploring a proxy server to hide the URL s and creds.