Restrict your api-key to your domain

A good way to secure your app is to restrict any front-end api-key to be accessible only on the domains you choose.

Firebase automatically configures the api-key for us, but this key is currently unrestricted. To restrict the domains that can use it, we must go to Google Cloud API console. The URL to do so will be something like:

https://console.cloud.google.com/apis/credentials?project=YOUR_APP_ID_HEREconsole.cloud.google.com

Change the YOUR_APP_ID_HERE text to your Firebase APP ID.

Remember, you can see your app ID on the Firebase Console, settings (see image below).

Restricting your api-key

1) The Firebase generated API-KEY will be identified as being "auto created by Firebase". Click on the key, to open it's settings.

2) On the "Key restrictions" settings, choose the "Websites" option.

3) Finally, enter the URLs or domains you'd like to allow your credentials to be used and hit "Save".

You can leave "API restrictions" as it is, with "Don't restrict key" checked.

Important! You must also allow the domains on your Firebase Authentication Settings for features like Google/Facebook/Github login to work properly.

For instance, "yourfirebaseappid.firebaseapp.com".

Done! Your api-key is now secure.