Is it safe to put Firebase API keys in client-side code?

Yes, Firebase API keys in client-side code are not secrets — they identify your project and are designed to be public. Security is enforced by Firebase Security Rules, not by hiding the API key. However, you should restrict your API keys in the Google Cloud Console to only the APIs and app domains that need them, preventing unauthorized use from other origins.

What are Firebase Security Rules?

Firebase Security Rules are server-side access control rules written in a declarative language that govern who can read or write data in Firestore, Realtime Database, and Cloud Storage. They run on Firebase servers, not in your app, so they cannot be bypassed by client-side code. Always write rules that require authentication and validate data shapes.

What is Firebase App Check?

Firebase App Check verifies that requests to your Firebase backend come from your legitimate app, not from automated scripts or unauthorized clients. It uses platform attestation (Play Integrity on Android, App Attest on iOS, reCAPTCHA on web) to issue short-lived tokens. Enforce App Check on Firestore, Storage, and Functions to block API abuse.

How do I write secure Firestore Security Rules?

Start by denying all access (match /{document=**} { allow read, write: if false; }), then grant access only where needed. Require authentication (request.auth != null), scope access to the owner (request.auth.uid == resource.data.userId), validate incoming data types and sizes, and test rules with the Firebase Security Rules Simulator before deploying.

Security & Best Practices

Firebase Security Best Practices

Firebase gives you a powerful backend — but misconfigured projects are among the most common sources of data breaches in mobile and web apps. This guide covers the practical steps that harden a Firebase project from development to production.

1. Firebase Security Rules

Security Rules are the most important protection layer. They run on Firebase servers and cannot be bypassed by client code. Default rules after project creation are often too open.

Insecure default rules (never ship these)

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;  // Anyone can read/write anything
    }
  }
}

Secure rules: deny by default, allow explicitly

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Deny everything by default
    match /{document=**} {
      allow read, write: if false;
    }

    // Allow users to read/write only their own document
    match /users/{userId} {
      allow read, write: if request.auth != null
                         && request.auth.uid == userId;
    }

    // Public read, authenticated write
    match /posts/{postId} {
      allow read: if true;
      allow write: if request.auth != null
                   && request.resource.data.authorId == request.auth.uid;
    }
  }
}

2. API Key Restrictions

Firebase API keys in client code are not secrets — they are designed to be public and are secured by Security Rules. However, unrestricted keys can be abused for quota exhaustion. Restrict them in the Google Cloud Console:

1Go to Google Cloud Console → APIs & Services → Credentials
2Find your Firebase API key and click Edit
3Under Application restrictions, add your app's domain (web) or SHA-1 fingerprint (Android)
4Under API restrictions, limit to only the Firebase APIs you use

3. Firebase App Check

App Check verifies that requests come from your legitimate app binary, blocking automated scripts, emulators, and unauthorized clients from accessing your Firebase services.

// Android — enable App Check with Play Integrity
import com.google.firebase.appcheck.FirebaseAppCheck
import com.google.firebase.appcheck.playintegrity.PlayIntegrityAppCheckProviderFactory

FirebaseApp.initializeApp(context)
val firebaseAppCheck = FirebaseAppCheck.getInstance()
firebaseAppCheck.installAppCheckProviderFactory(
    PlayIntegrityAppCheckProviderFactory.getInstance()
)

// Web — use reCAPTCHA Enterprise
import { initializeAppCheck, ReCaptchaEnterpriseProvider } from 'firebase/app-check';

initializeAppCheck(app, {
  provider: new ReCaptchaEnterpriseProvider('YOUR_RECAPTCHA_SITE_KEY'),
  isTokenAutoRefreshEnabled: true
});

After setup, enforce App Check in the Firebase Console for Firestore, Storage, and Cloud Functions to block unauthenticated API access.

4. Authentication Hardening

Enable email verification — require users to verify their email before accessing protected features

Set up multi-factor authentication (MFA) for sensitive operations via Firebase Auth's totp or SMS second factors

Configure session duration — keep sessions short for sensitive apps, implement idle logout

Block disposable email domains with custom Auth blocking functions if needed

Revoke refresh tokens immediately on account compromise via Admin SDK

5. Security Checklist

Item	Priority
Write deny-by-default Security Rules	Critical
Test rules with the Firebase Security Rules Simulator	Critical
Restrict API keys to your app domain/fingerprint	High
Enable Firebase App Check in production	High
Enable email verification for user auth	Medium
Set up Firebase Alerts for budget overruns	Medium
Review Security Rules before each release	Ongoing
Monitor for unauthorized API usage in Cloud Console	Ongoing

Never expose service account keys

Firebase Admin SDK service account JSON files contain private keys. Never commit them to version control, include them in client apps, or expose them in environment variables that leak to the browser. Use Secret Manager or environment secrets in your CI/CD pipeline.

Related Resources

Firebase Setup Guide Android Firebase Config Google Services JSON Tool

Written by Zhisan

Independent Developer · Last updated June 2026