False positive, Firebase API key #14
Comments
|
Agree, Firebase in JavaScript are public keys, even that they look like private, everything what need to be in JS is public. |
|
Per the documentation on Firebase Config files. API keys are considered unique but public information. https://firebase.google.com/docs/projects/learn-more#config-files-objects |
|
Just received an alert for the same thing, it's really a false positive. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, and thank you for the GitGuardian service that you provide, it is really useful.
I want to point out that you should not auto-detect a Firebase API key as "compromised" since this is not a private key but a public key that any entity should access in order to connect to the Firebase API that was set up. Authentication allows only some/all end-users to access/modify/validate certain parts of it, so the API key is not the one that should be guarded.
https://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modification
The text was updated successfully, but these errors were encountered: