It is safe to include the config in your app. The Firebase docs address this:
A Firebase config file or config object associates your app with your Firebase project and its resources (databases, storage buckets, etc.).
The content is considered public, including your platform-specific ID (entered in the Firebase console setup workflow) and values that are specific to your Firebase project, like your API Key, Realtime Database URL, and Storage bucket name. Given this, use security rules to protect your data and files in Realtime Database, Cloud Firestore, and Cloud Storage.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Excuse me if I've missed something. But surely having your API key inside the create-react-app will expose your backend to abuse.
Someone with knowledge of JavaScript could easily find the API key within your code and use the key to write whatever they want to the database?
Oh none at all, you're right on point. I've also wondered the same thing until I came to this post:
javebratt.com/hide-firebase-api/
I won't put anything into my Firebase project except for this tutorial, so for all purpose I think it will be fine.
It is safe to include the config in your app. The Firebase docs address this: