英文:
Is it wise to store my API keys in Firebase Remote Config?
问题
我想知道将我的敏感API密钥存储在Firebase远程配置中的全部优缺点是什么。
我知道Flutter Secure Storage可以在运行时加密和解密敏感数据,但大多数来源都建议将API密钥存储在服务器上而不是客户端。如果我将API密钥存储在FIREBASE REMOTE CONFIG上,会有什么风险,我可能会得到什么,以及可能会失去什么。谢谢。
英文:
I would like to know what the full pros and cons are for storing my SENSITIVE API KEYS AT Firebase Remote Config.
I am aware of flutter secure storage which encrypts and decrypts sensitive data at Runtime, but most sources suggest it is always safer to store api keys on the server rather than on the client.
What risks are involved if I store my API keys at FIREBASE REMOTE CONFIG and what do I stand to gain and lose.Thanks
答案1
得分: 0
建议不仅仅是将数据存储在服务器上,还要仅在服务器上使用它。每当您在应用程序中使用敏感数据,例如通过远程配置将其发送到设备时,恶意用户可能会访问它。
泄露API密钥的风险取决于该特定API密钥允许恶意用户访问的内容。例如,如果用户获取了Firebase云消息传递所使用的所谓服务器密钥,他们可以使用它向您的任何用户发送消息。但如果他们获取了您的Google Cloud项目的管理凭据,他们可以随心所欲地使用整个项目。
请注意,Firebase的客户端配置数据不是保密的,详细信息请参阅此处:https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public/37484053#37484053
还请参考以下链接:
- https://stackoverflow.com/questions/39126647/is-it-ok-to-use-firebase-remoteconfig-to-store-api-keys
- https://stackoverflow.com/questions/66361728/using-firebase-remote-config-instead-of-env-file
英文:
The recommendation is not so much to just store the data on the server, but also to only ever use it on the server. Any time you use sensitive data inside your application, such as when you send it to the device through Remote Config, a malicious user may gain access to it.
The risk of leaking an API key depends on what that specific API key allows a malicious user to access. For example, if a user gains access to the so-called server key that is used by Firebase Cloud Messaging, they can use it to send messages to any of your users. But if they gain access to the administrative credentials of your Google Cloud project, they can do with that entire project whatever they want.
Note that Firebase's client-side configuration data is not a secret, as explained here: https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public/37484053#37484053
Also see:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论