Reputation: 1909
Is FCM on the web secure without an app server?
I want to generate messages from clients on my site, and send messages to a target device. It's simple with an ajax(jquery) request like this:
$.ajax({
url: 'https://fcm.googleapis.com/fcm/send',
type: 'POST',
contentType: "application/json",
dataType: 'json',
data: JSON.stringify({
"notification": {
"title": title,
"body": msg,
"sound": "default"
},
"to": "XXXXXXXXXXXX"
}),
beforeSend: function(xhr) {
xhr.setRequestHeader('Authorization', 'key=YYYYYYYYYY');
}
});
But, then don't I need to keep the XXXXXXXXXXXX device key, and YYYYYYYYYY API key private? If not, I'm worried people start scraping these up and spamming from totally unrelated services?
Upvotes: 3
Views: 803
Answers (1)
Reputation: 599021
This is definitely not secure. The key that you're passing into the Authorization header is called a server key, since you're only supposed to use it on an app server (or in some other process that you directly control).
If you put this same key in code that runs on every client's device, it means that malicious users can (and thus will) be able to copy your server key and use that to send messages to your app's users on your behalf.
The Firebase Cloud Messaging documentation explains this in its section on FCM Server roles. We also have a blog post that explains how to send device-to-device messages on Android using Cloud Messaging, the Realtime Database and a Node.js script on your back-end, app server.
Upvotes: 7
Related Questions
- Where do I need to integrate FCM, front-end or back-end?
- How reliable is fcm in 2019?
- What can knowledge of FCM server key gives to an attacker?
- Want to know how FCM works in below scenarios
- Web Push : Migrating from GCM to FCM
- How secure is firebase cloud messaging at client side?
- Firebase Auth + FCM
- Will a FCM message, open a firebase database connection?
- Need guidance regarding using FCM to communicate between devices
- Implementing FCM (Firebase Cloud Messaging) on a MVC Web App