javascript - 向公众公开Firebase apiKey是否安全？(Is it safe to expose Firebase apiKey to the public?)

Question

The firebase Web-App guide states i should put the given apiKey in my Html to initialize firebase:(firebase Web-App指南指出，我应该将给定的apiKey放在Html中以初始化firebase：)

// TODO: Replace with your project's customized code snippet <script src="https://www.gstatic.com/firebasejs/3.0.2/firebase.js"></script> <script> // Initialize Firebase var config = { apiKey: '<your-api-key>', authDomain: '<your-auth-domain>', databaseURL: '<your-database-url>', storageBucket: '<your-storage-bucket>' }; firebase.initializeApp(config); </script> By doing so the apiKey is exposed to every visitor.(这样，apiKey便暴露给每个访问者。) What is the purpose of that key and is it really meant to be public?(该密钥的目的是什么，真的意味着要公开吗？)   ask by farmio translate from so

Answer 1

The apiKey essentially just identifies your Firebase project on the Google servers.(apiKey实际上只是在Google服务器上标识您的Firebase项目。)

It is not a security risk for someone to know it.(知道它不是安全风险。) In fact, it is necessary for them to know it, in order for them to interact with your Firebase project.(实际上，他们有必要知道它，以便他们与Firebase项目进行交互。) In that sense it is very similar to the database URL that Firebase has historically been used to identify the back-end: https://<app-id>.firebaseio.com .(从这个意义上讲，它与Firebase过去用于标识后端的数据库URL非常相似： https://<app-id>.firebaseio.com 。) See this question on why this is not a security risk: How to restrict Firebase data modification?(有关为何这不构成安全风险的问题，请参见以下问题： 如何限制Firebase数据修改？) , including the use of Firebase's server side security rules to ensure only authorized users can access the backend services.(，包括使用Firebase的服务器端安全规则，以确保只有授权用户才能访问后端服务。) If you want to learn how to secure all data access to your Firebase backend services is authorized, read up on the documentation on Firebase security rules .(如果您想了解如何确保所有对Firebase后端服务的数据访问均得到授权，请阅读有关Firebase安全规则的文档。)