Flutter Web Config File Privacy

firebase flutter firebase-hosting flutter-web
993

There are no credentials in Firebase configurations. There are just configurations that tell code where to find your project and database. These configurations are effectively public information when you publish your app. There's nothing you can do to hide them completely.

If you are concerned about the security of data in Firestore, you will need to use security rules along with Firebase Authentication to indicate who is allow to read and write which parts of your database. It's not possible to secure the database to just a specific app or web domain, since the Firebase APIs are all effectively public APIs. Security rules are what make the database secure.

Also read: Is it safe to expose Firebase apiKey to the public?

Share:
993
Mert Yerekapan
Author by

Mert Yerekapan

Computer Engineering student in Istanbul Technical University, 3/4. Interested in soft skills as well.

Updated on December 21, 2022

Comments

  • Mert Yerekapan
    Mert Yerekapan over 1 year

    I am working on a only-web flutter project and I am using Firebase Cloud Firestore. As you know, we need to add config files to "index.html" file in order to have a connection with firebase. My project is very simple, it has a form that takes input and stores it to the firestore. Everyone can use it without logging in.

    My problem is: Everyone can inspect the page code and see the credentials in the config file.

    Question is: Is it a problem? I don't want people to abuse the website by using the credentials or get access to my firebase project. If it is a problem, how can I hide it?

    Thank you.

  • Mert Yerekapan
    Mert Yerekapan almost 4 years
    Thank you so much for the clarification. I also checked the security rules but I guess if I don't ask for authentication, I can't set any rules. Would it be wise to ask for anonymous authentication, just to set up some rules? So I could block the spam (just in case)
  • Doug Stevenson
    Doug Stevenson almost 4 years
    That would be a good place to start, however, that doesn't prevent someone from simply using the Firebase Auth REST API to create a new anonymous account, and use its credentials to access the database.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I deploy a flutter web application to an existing website hosted on Firebase?
Flutter web app is returning blank page after being deployed to firebase hosting
Flutter web app is missing firebase.json and shows "Welcome Firebase Hosting Setup Complete" when deployed to firebase hosting
Flutter web with Firebase Hosting can not load pictures from storage
Firebase, Flutter Web App Works locally, but when deployed images are not shown
Firebase Hosting - Flutter Web App hosting of extra .html page
Stop saving in cache memory Flutter web Firebase hosting
Firebase messaging's spawned isolate and main app - how to pass data(Web)?
Can't link flutter web application to firebase project / infinite loading
Firebase Hosted flutter app shows not a secure connection error when launching an external URL