How do I prevent my firebase application from being used on other websites?

Question

How do I prevent my firebase application from being used on other websites?

Asked 7 years, 11 months ago

Viewed 312 times

2

How to prevent other people from taking this code from my site and using it on others, or how to make it only work on mine?

var config = {
      apiKey: 'your-api-key',
      authDomain: 'your-auth-domain',
      databaseURL: 'your-database-url',
      storageBucket: 'your-storage-bucket'
    };
firebase.initializeApp(config);

(edited) It’s like I have a server just to use this firebase code but use the application on another site?

2

Not using this in the browser JS?

– Maniero

2016/07/08 at 14:11
I need it because I don’t have access to the server.

– Haffy

2016/07/08 at 14:57
1

So forget it..

– Maniero

2016/07/08 at 17:18
CORS with authorization list of which domains you want to accept access. Still, credentials and authorization keys should never be present directly in Javascript.

– OnoSendai

2016/07/13 at 19:56
@Haffy Do not use the edit field to change the intention of the question, as it risks invalidating the answers already given. Instead, ask another question.

– Pablo Almeida

2016/07/14 at 01:52

2 answers

Browser other questions tagged javascript firebase

You are not signed in. Login or sign up in order to post.

by Gabriel Rodrigues • **15,969** points · Answer 1 · 2016-07-13T20:15:01+00:00

The biggest issue at this point is to allow someone not authenticated to read/write the information in your database. by default Firebase blocks this.

If you go on Menu -> DataBase -> Rules will see the following:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

This way non-authenticated users cannot consume information.

Take a look at this: Quickstart for Firebase Security

by Klaider • **2,509** points · Answer 2 · 2016-07-08T23:16:50+00:00

It is possible to obfuscate the code with several Javascript obfuscators and compressors to prevent the code from being readable or editable, but the most accurate is to "reinforce" the code, which does not yet have any tool developed. It could be basically made a condition like this to check if the domain of the page is true:

var i = location.href.indexOf('//') + 2,
    sub = location.href.substring(i,
                       (location.href.substring(i).indexOf('/') + i) || null
);

sub === "www.example.com" || sub === "example.com";

, which is not sufficient and difficult to apply several times in a project, however.

Jscrambler

Jscrambler is an online Javascript obfuscator and has an option to make the script work on a specific domain (it should be very simple in the basic version), which has a version ancient and a version new. The new version is not free and seems a better base, while the old version is free and has almost no obfuscation feature. I can not prove much the paid version since I never bought - he has an example of demonstration, luckily.

Thanks to easy-to-use Javascript interpreters some tool can be created in the future, or near here.