我应该把Firebase api的密钥隐藏到后台吗？不是因为数据安全问题，而是项目克隆问题

本文是小编为大家收集整理的关于我应该把Firebase api的密钥隐藏到后台吗？不是因为数据安全问题，而是项目克隆问题的处理/解决方法，可以参考本文帮助大家快速定位并解决问题，中文翻译不准确的可切换到English标签页查看源文。

中文
English

问题描述

有人可以帮助我解决firebase安全问题吗?
这是我试图找出的:

我知道，要让客户端与我的firebase应用程序进行交互，配置和firebase.initializeApp(config)将暴露在公共场合，使用客户端的每个人都可以在浏览器开发人员控制台中看到它.

我也知道这很好，因为我可以使用安全规则和验证来保护数据.

但是，如果有人复制了我的所有客户端代码(包括配置)并构建许多克隆站点，那么他们可以尽可能多地使用我的firebase 数据库吗?

在这种情况下，我应该将配置(API键)隐藏在像云功能之类的后端中吗? 谢谢...

其他推荐答案

无需尝试隐藏您的API键.它本质上是公共信息，无论您多么努力地混淆它，一个坚定的黑客都将能够掌握它.

黑客并没有通过获取API密钥来真正获得很多收益.这只是您项目的唯一标识符.如果您想在实时数据库和云存储中保护数据，则应将安全规则与Firebase身份验证一起使用，以保护仅应访问该访问的用户的访问.

本文地址：https://www.itbaoku.cn/post/1937871.html

百度翻译此文有道翻译此文

问题描述

Can someone help me with firebase security questions?
Here's what I was try to figure out:

I understand that to let a client side interacting with my firebase app, a config and firebase.initializeApp(config) will be exposed to public, and everyone using the client side can see it in browser developer console.

I also know that this is fine because I can use security rules and auth to secure data.

But, if someone copied all my client code (including configs) and build a lot of cloned sites, then they can use my firebase database as much as they want right?

In this case, should I hide configs(api keys) into backend like cloud functions or something? Thanks...

推荐答案

I've wondered something similar before, and found this handy article after a bit of searching. (The article itself is on mobile development, but there is a section addressing this specific question). The relevant section is titled "API Blockage by Domain and Package"

The article explains it better than I can, and just in case the link ever goes down, I'll copy the text below for future viewer's references. This was written by Jorge Vergara on his website https://javebratt.com/hide-firebase-api/ last updated July 20, 2018.

Another cool thing, if you go to your Google APIs account, you’ll see all of your Firebase projects, pick one, and in the Credentials Tab select your API key.

If you’ve never messed with it, it should be called something like Browser key (auto created by Google Service), open it, and you’ll find options for key restriction:

This key is unrestricted. To prevent unauthorized use and quota theft, restrict your key. Key restriction lets you specify which websites, IP addresses, or apps can use this key.

There you can choose HTTP referrers (websites) and add your domain. This means that the Firebase database will only accept requests for people writing from that domain.

Or Android apps and iOS apps, where you can add package name and fingerprints.

For example:

If you build myawesomeapp.com and add the domain in the HTTP referrers (websites) section, any attacker trying to connect from a different domain will get an error, and those requests will never make it to the database.

The link he provided to access your Google APIs account is: https://console.developers.google.com/apis/credentials

If you click on the link that says "Browser key (auto created by Google Service)" then you should see the "Application Restrictions" section towards the bottom, where you can select "HTTP Referrers"... clicking on that allows you to enter approved domains.

其他推荐答案

There is no need to try to hide your API key. It is essentially public information, and a determined hacker will be able to get a hold of it no matter how hard you try to obfuscate it.

A hacker doesn’t really stand to gain very much by getting your API key. It’s just a unique identifier for your project. If you want to secure your data in Realtime Database and Cloud Storage, you should use security rules along with Firebase Authentication to protect access to only the users who should have that access.

上一篇：我怎样才能为百度中国的一个网站商店定位器生成一个API密钥？

下一篇：使用Python中的requests包用API密钥调用REST API