There is no way to prevent your API configuration from being completely public. Even if you find some way to hide it in environment variables, Google exposes it themselves through the SKD auto-configuration URLs. Just append /__/firebase/init.json or /__/firebase/init.js to the root of any Firebase hosting domain and there's the credentials.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
There is no way to prevent your API configuration from being completely public. Even if you find some way to hide it in environment variables, Google exposes it themselves through the SKD auto-configuration URLs. Just append
/__/firebase/init.jsonor/__/firebase/init.jsto the root of any Firebase hosting domain and there's the credentials.