The Firebase configuration in src/firebase.ts contains API keys that are safe to be public:

apiKey: "AIzaSyBxuiFea3YYoywEaVjsWOQ7cgK4SO222v4"

Why this is safe:

• Firebase API keys are designed to be included in client-side code
• They only identify your Firebase project
• Security is enforced through Firebase Security Rules
• Google's official documentation states these can be public
• Read more: Is it safe to expose Firebase apiKey to the public?

Your VirusTotal API key must be kept private and should NOT be committed to version control.

1. Copy .env.example to .env
2. Add your VirusTotal API key:

   VITE_VIRUSTOTAL_API_KEY=your-actual-api-key
   

3. The .env file is already in .gitignore

Set the environment variable in your hosting platform:

Firebase Hosting:

# Not recommended for client-side apps - API key will be visible in browser
# Consider using Firebase Functions to proxy VirusTotal API calls

Vercel/Netlify:

# Add in dashboard under Environment Variables
VITE_VIRUSTOTAL_API_KEY=your-api-key

For production apps, consider:

1. Using Firebase Cloud Functions to proxy VirusTotal API calls
2. Storing the API key in Firebase Functions environment variables
3. This keeps the key completely hidden from client-side code

If you discover a security vulnerability, please email: [your-email]

Do not create public GitHub issues for security vulnerabilities.