I am working on a only-web flutter project and I am using Firebase Cloud Firestore. As you know, we need to add config files to "index.html" file in order to have a connection with firebase. My project is very simple, it has a form that takes input and stores it to the firestore. Everyone can use it without logging in.
My problem is: Everyone can inspect the page code and see the credentials in the config file.
Question is: Is it a problem? I don't want people to abuse the website by using the credentials or get access to my firebase project. If it is a problem, how can I hide it?
Thank you.
There are no credentials in Firebase configurations. There are just configurations that tell code where to find your project and database. These configurations are effectively public information when you publish your app. There's nothing you can do to hide them completely.
If you are concerned about the security of data in Firestore, you will need to use security rules along with Firebase Authentication to indicate who is allow to read and write which parts of your database. It's not possible to secure the database to just a specific app or web domain, since the Firebase APIs are all effectively public APIs. Security rules are what make the database secure.
Also read: Is it safe to expose Firebase apiKey to the public?