search

dalenguyen / firebase-wordpress-plugin

A plugin that helps to integrate Firebase to WordPress
https://firebase-wordpress-docs.readthedocs.io
GNU General Public License v2.0
111 stars 31 forks source link

Security Issues #172

Closed mmw562 closed 3 years ago

mmw562 commented 3 years ago

Hello Dale!

It appears that the API key, storage bucket, frontend token etc all appear in the url source in the CDATA. This looks like a big security risk?

dalenguyen commented 3 years ago

Hi @mmw562, that information is supposed to be exposed on the front end.

Please check this one out.

https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public

More security enhancement can be done via security rules for storage, realtime & firestore.

https://firebase.google.com/docs/rules

mmw562 commented 3 years ago

That answers it! Thanks so much!

On Thu, Jul 15, 2021 at 10:37 AM Dale Nguyen @.***> wrote:

Hi @mmw562 https://github.com/mmw562, that information is supposed to be exposed on the front end.

Please check this one out.

https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dalenguyen/firebase-wordpress-plugin/issues/172#issuecomment-880799114, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF7Z3AQNNKGIMMDLRAKUCGTTX36DPANCNFSM5AMIKBFQ .