The Firebase API keys in this repository are client-side keys that are designed to be public. They are found in:
public/firebase-messaging-sw.js- Client-side code
These keys are NOT secrets and are secured by:
- API Key Restrictions - Domain whitelist in Google Cloud Console
- Firebase Security Rules - Server-side access control
- App Check (optional) - Additional bot protection
✅ API Key Restrictions Applied:
- HTTP referrer restrictions (domain whitelist)
- API restrictions (only Firebase services enabled)
✅ Firebase Security Rules:
- Database access controlled by authentication
- Storage access controlled by user permissions
✅ Server-Side Secrets:
- Firebase Admin SDK private key stored in environment variables only
- Never committed to repository
- Only accessible server-side
Firebase client API keys are different from traditional API keys:
- They identify your Firebase project - like a project ID
- They don't grant access - Firebase Security Rules control access
- They're meant to be in client code - every Firebase web app has them visible
- They're protected by domain restrictions - only your domains can use them
Reference: Firebase Security Documentation
Please do not open a public issue for suspected vulnerabilities.
Preferred path:
- Use GitHub's private vulnerability reporting or repository security advisory flow if it is enabled.
- If private reporting is not available, contact the maintainer through the repository owner's GitHub profile or other documented private channel.
Include:
- A short description of the issue
- Reproduction steps or proof of concept
- Affected routes, files, or deployment surface
- The impact you believe it has
The goal is coordinated disclosure and a private fix first.
VITE_FIREBASE_*- Firebase client configuration- Safe to expose in client bundles
FIREBASE_ADMIN_PRIVATE_KEY- Never exposeGOOGLE_CLIENT_SECRET- Never exposeDATABASE_URL- Never expose
These are stored in:
.env.local(gitignored)- Vercel environment variables (production)