Read thru a lot of posts and articles on how people handle api keys. I think some made it secure to get api keys via Node Server, some store it at .env file.
Sample posts I've read
My situation:
Currently I'm storing my API KEYs in .env files, because I'm uglifying my code in React. Those files are unreadable even via Inspect Element, but now all my api keys are exposed in readable format.
My use case:
My website don't require sign in, hence no authentication needed. Basically it's API KEY for firebase analytics. I don't think it make sense to create a Node Server to get the api key here? (And again, I don't need authentication)
How can I better handle the API KEYs?
I don't think exposing the Firebase key is a security threat as per this article: https://medium.com/@paulbreslin/is-it-safe-to-expose-your-firebase-api-key-to-the-public-7e5bd01e637b
GCP usually allows you to restrict api keys by domain. That maybe one way to secure your config and prevent other people from spoofing requests as your project.
In any other situation however, I would not expose api keys in client-side code and have an intermediate server or a cloud-function that uses it instead.