I am using Firebase App Check as part of my web application which I intent to expose to the public (production).
To set it up, I am given a "reCAPTCHA Enterprise site key" which I am asked to use to initialize App Check on the client side like so
initializeAppCheck(app, {
provider: new ReCaptchaEnterpriseProvider("my-site-key"),
});
My question is: would it be be safe to store the site key on the client side, such as in a .env file? Is it okay for this site key to be exposed like that? Is it just a way for google to identify my application, and not a secret key?
2
Answers
Three things:
.env files are not on the client at all. They just provide values at build time that might eventually get added into the client code if they are referenced by the code.
If you’re instructed to pass that key into
initializeApp, then you can’t possibly hide the key from the client. The client necessarily has to get a hold of it somehow in order to provide it to Firebase. You could go through a lot of trouble to make it difficult for someone to get the key, but since the value has to be in the client at some point, it’s impossible to hide entirely.Recaptcha wouldn’t offer much protection if it was easy to subvert by simply getting a hold of a key that must be delivered publicly. The key clearly not a problem if it lives in the client by design.
If appcheck is used to protect you against billing fraud on firebase and the reCAPTCHA key is exposed in the client. then they can do billing fraud to the reCAPTCHA servers instead? Or have I missed something