This is actually quite misleading. While it is possible to grab your API key from your site, it is 100% safe to leave this key in the open. It is a public key and the tutorials instruct you to do so.
The way to actually secure your real-time database or Firestore on Firebase is to set rules for accessing your database based on information such as request.userId or whether or not they've been granted access to a group. If you don't do this your server is very much still open to attack.
This being said, to do more complicated manipulation of your database, you should use Firebase functions, not because of your API key, but rather, because exposing your business logic to the world is dangerous and could be easily manipulated to provide different, potentially harmful, results.
I am talking about API keys that are meant to be private. I even discuss how the Firebase API key and some other publishable API keys are perfectly fine in client-side code. There are a couple of links in the post that justify leaving the Firebase API key on client-side code.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
This is actually quite misleading. While it is possible to grab your API key from your site, it is 100% safe to leave this key in the open. It is a public key and the tutorials instruct you to do so.
The way to actually secure your real-time database or Firestore on Firebase is to set rules for accessing your database based on information such as
request.userId
or whether or not they've been granted access to a group. If you don't do this your server is very much still open to attack.This being said, to do more complicated manipulation of your database, you should use Firebase functions, not because of your API key, but rather, because exposing your business logic to the world is dangerous and could be easily manipulated to provide different, potentially harmful, results.
I am talking about API keys that are meant to be private. I even discuss how the Firebase API key and some other publishable API keys are perfectly fine in client-side code. There are a couple of links in the post that justify leaving the Firebase API key on client-side code.