Is It Safe To Send The Access Token In The URL? Firebase Realtime Database REST API
I am using Firebase realtime database rest API on the client-side. I noticed that you need to send the access token on the URL and this info is exposed on the request.
Is this a secure way of using the REST API? Is there another more secure way of accomplishing this?
Here is the documentation: https://firebase.google.com/docs/reference/rest/database#section-param-auth
Answer
When you see "https" at the front of the URL used for the API, that means the data is encrypted and can't be intercepted. So passing data along with the query should not pose a security problem in terms of someone gaining access to your key.
However, if you ship a client app that contains the key, you are basically giving it away to anyone who has your app, as it's always possible for someone to reverse engineer your app and gain access to all data inside it. To avoid that, you should be using Firebase Authentication and security rules to determine who can access the data in your database.
Related Questions
- → How can I query Firebase for an equalTo boolean parameter?
- → How can I access nested data in Firebase with React?
- → Firebase simple blog (confused with security rules)
- → Removing item in Firebase with React, re-render returns item undefined
- → AngularJS Unknown Provider Error (Firebase & AngularFire)
- → How do you pass top level component state down to Routes using react-router?
- → "this" is null in firebase query function in reactjs
- → Angular Module Failed to Load
- → Multiple dex files define Lcom/google/android/gms/internal/zzrx;
- → Joining Firebase tables in React
- → How can I make add firepad to my reactjs project?
- → How to use Cloud Functions for Firebase to prerender pages for SEO?
- → React.js component has null state?