How to ensure security when storing the server token client side? #186
-
|
Hi @TheAlphamerc , thank you once again for sharing this project. I'm looking to implement a firebase REST API for the FCM notification like yours. But I noticed that you have included the FCM server key in the client-side code. Wouldn't it be a security risk, as malicious users can get that key and send any message they want to all of the users? Is there a way to ensure the security of the server token?? Or is using the cloud function to send the notification the only way to make it more secure ?? Thank you in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
Storing FCm server kry on client side is not a good approach. There is one way to keep it secure if it can be stored at server side. Using the cloud functions to send notification is definitely a good approach. |
Beta Was this translation helpful? Give feedback.
-
|
Ok, thank you for your prompt reply! I'll do it through the cloud function then. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @TheAlphamerc, can I just check with you, if storing the FCM token client-side while storing the FCM server key on the server side presents any security risk? Because from what I understand, a malicious user wouldn't be able to send the push notification even if they have the FCM token without the FCM server key |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, You are right. If FCM server key is stored in the server then no other malicious user can send the notification. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you so much! Really appreciate your help! |
Beta Was this translation helpful? Give feedback.
Storing FCm server kry on client side is not a good approach. There is one way to keep it secure if it can be stored at server side. Using the cloud functions to send notification is definitely a good approach.