Step-by-Step Guide
6 steps

How to Fix Firebase API Key Exposure

Your security scan flagged a Firebase API key (AIzaSy...) in your frontend code. The good news is that Firebase API keys are designed to be public. They are not secrets. This guide explains why they are safe and what you should focus on instead to secure your Firebase app.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Understand that Firebase API keys are public by design

Firebase API keys identify your project but do not grant data access. Security is enforced by Firestore Security Rules, Realtime Database Rules, and Storage Rules.

Code Example
// This is NORMAL and SAFE
const firebaseConfig = {
  apiKey: "AIzaSyBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  authDomain: "your-project.firebaseapp.com",
  projectId: "your-project",
  storageBucket: "your-project.appspot.com",
  messagingSenderId: "123456789",
  appId: "1:123456789:web:abc123"
}

All Firebase projects embed the API key in frontend code. Google designed it this way. Do not waste time trying to hide it.

2

Focus on Security Rules instead

The real security of your Firebase app comes from Firestore Security Rules. Ensure they are restrictive.

Code Example
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // INSECURE - never use in production
    // match /{document=**} { allow read, write: if true; }
    
    // SECURE - scope to authenticated user
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
  }
}
3

Restrict the API key in Google Cloud Console

While the key is not a secret, restricting it prevents quota abuse from unauthorized origins.

Code Example
// Google Cloud Console > APIs & Services > Credentials
// 1. Select your Firebase API key
// 2. Set Application Restrictions to "HTTP referrers"
// 3. Add your domains: yourdomain.com/*, localhost:*
// 4. Set API Restrictions to only the APIs you use
// 5. Save
4

Check for actual secrets in your code

While the Firebase key is fine, check for other secrets that may actually be exposed.

Code Example
# Search for real secrets (not Firebase keys)
grep -rn "sk-proj\|sk-live\|secret_key\|password\|DATABASE_URL" src/ --include="*.ts" --include="*.js"
5

Enable App Check for additional protection

App Check verifies that requests come from your legitimate app, adding another layer of security beyond the API key.

Code Example
import { initializeAppCheck, ReCaptchaV3Provider } from 'firebase/app-check'

const appCheck = initializeAppCheck(app, {
  provider: new ReCaptchaV3Provider('your-recaptcha-site-key'),
  isTokenAutoRefreshEnabled: true
})
6

Scan for real vulnerabilities

Run a VAS scan to find actual security issues in your Firebase app, like open Security Rules or missing authentication.

What You'll Achieve

You understand that your Firebase API key is not a vulnerability. Your Security Rules are locked down, the API key is restricted to your domains, and App Check is enabled. Focus is correctly placed on rule-based security rather than key secrecy.

Common Mistakes to Avoid

Mistake

Trying to hide the Firebase API key in environment variables

Fix

The Firebase config must be in client code to initialize the SDK. Moving it to a .env file with NEXT_PUBLIC_ prefix changes nothing since it is still in the browser bundle.

Mistake

Thinking an exposed Firebase API key means your database is exposed

Fix

The API key only identifies the project. Data access is controlled by Security Rules. If your rules are locked down, the key is harmless.

Mistake

Ignoring Security Rules because the API key seems secure

Fix

The API key provides zero security. ALL your data security comes from Firestore, Database, and Storage Security Rules. Write and test them carefully.

Frequently Asked Questions

Is my Firebase API key (AIzaSy...) a security risk?

No. Firebase API keys are designed to be public. They identify your project but do not grant data access. Security is enforced by Firebase Security Rules.

Should I report an exposed Firebase API key as a vulnerability?

No. This is expected behavior. Google designed Firebase API keys to be embedded in client-side code. Focus on Security Rules for actual security.

What about the other config values like appId and messagingSenderId?

All Firebase config values are public. None of them are secrets. They are used to configure the Firebase SDK client and do not grant any privileged access.

Related Guides

Add Security Rules to FirebaseSecure Your Firebase AppSecure Your Firebase Studio AppSecurity Audit Checklist

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan