API Key Exposure in Firebase Applications
Firebase API keys are designed to be public. They identify your project but do not grant access to data. Security is enforced by Firestore Security Rules, RTDB Rules, and Storage Rules. The real vulnerability is not the exposed key but misconfigured Security Rules that allow unauthorized access.
Scan Your Firebase AppHow API Key Exposure Manifests in Firebase
False positive key exposure alerts in Firebase apps: Security scanners flag the Firebase config object (apiKey, authDomain, projectId) as exposed secrets. These are NOT secrets and are safe in client code. The real risks are: - Firestore/RTDB Security Rules that are too permissive - Firebase Admin SDK credentials (service account JSON) in client code - Cloud Function environment variables exposed in client bundles - Server-side API keys (like Stripe secret) mixed in with Firebase config
Real-World Impact
A team spent weeks trying to hide their Firebase API key based on a scanner report, implementing a proxy server and environment variable obfuscation. Meanwhile, their Firestore Security Rules were set to allow read, write: if true, meaning anyone could read and write all data regardless of the API key. The key was never the problem - the rules were.
Step-by-Step Fix
Focus on Security Rules, not hiding keys
Write proper Security Rules that protect your data regardless of who has the API key.
// firestore.rules
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Deny everything by default
match /{document=**} {
allow read, write: if false;
}
// User data - only owner
match /users/{userId} {
allow read, write: if request.auth != null
&& request.auth.uid == userId;
}
// Public content - anyone can read, only author writes
match /posts/{postId} {
allow read: if true;
allow write: if request.auth != null
&& request.auth.uid == resource.data.authorId;
}
}
}Restrict API keys in Google Cloud Console
Add HTTP referrer restrictions to limit key usage to your domains.
// Google Cloud Console > APIs & Services > Credentials
// Edit your API key and add restrictions:
// Application restrictions:
// HTTP referrers: *.yourdomain.com/*, localhost:*/*
// API restrictions:
// Restrict to: Firebase APIs, Maps JavaScript API, etc.Separate admin credentials from config
Keep Firebase Admin SDK credentials server-side only.
// SAFE in client code - Firebase config (public)
const firebaseConfig = {
apiKey: "AIzaSyAbc123...", // Public, safe
authDomain: "app.firebaseapp.com",
projectId: "my-app",
};
// NEVER in client code - Admin SDK (secret)
// This goes in server-side code only:
import admin from 'firebase-admin';
import serviceAccount from './service-account.json'; // .gitignore this!
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
});Prevention Best Practices
1. Accept that Firebase API keys are public - focus on Security Rules instead. 2. Write granular Security Rules that check auth.uid and document ownership. 3. Never put Firebase Admin SDK service account credentials in client code. 4. Restrict API keys in the Google Cloud Console (HTTP referrer restrictions). 5. Separate Firebase config from server-side secrets in your codebase.
How to Test
1. Check your Firestore Security Rules in the Firebase Console. 2. Test rules with the Security Rules playground in the Console. 3. Verify service account JSON is not in client code or git. 4. Check if API keys have referrer restrictions in Google Cloud Console. 5. Use Vibe App Scanner to check your Firebase app's security configuration.
Frequently Asked Questions
Is the Firebase API key a secret?
No. The Firebase API key is a project identifier, similar to a public URL. It does not grant access to data. Security is enforced by Firestore Security Rules, RTDB Rules, and Storage Rules. The key is designed to be in your client-side code.
Should I hide my Firebase config?
No. The Firebase config (apiKey, authDomain, projectId, etc.) is all public information. Trying to hide it provides no security benefit. Instead, invest your time in writing proper Security Rules.
What Firebase credentials ARE secret?
The Firebase Admin SDK service account JSON file is secret and must never be in client code. Cloud Function environment variables containing third-party API keys are also secret. The standard Firebase config object is not secret.
Related Security Resources
Is Your Firebase App Vulnerable to API Key Exposure?
VAS automatically scans for api key exposure vulnerabilities in Firebase applications and provides step-by-step remediation guidance with code examples.
Scans from $5, results in minutes. Get actionable fixes tailored to your Firebase stack.