The allowed domains for authentication that Thiado Bocchile spoke, is only about Authentication , that is, in the case of frontend development with javascript, even if they do the download of your entire page will not be Authenticate through this page because it is not in an allowed place (if you removed the localhost of course) but that is not enough, as it is not possible to hide the firebase access data (even if you "hide" the server and search at runtime the access data for this search will be available in the js file) you need to protect the data and files through Authorizations to allow only Authenticated users to access the data, and only the data that each user has Authorization , otherwise, the "attacker" can for example access the data even without authentication, or with u (or as anonymous), security on the firebase only works by Authentication with Authorization , any oversight, and someone can read and delete all your data with 3 lines of code.
ps. even though I have said that "hiding" the data on the server does not solve it, it helps a bit, because it is more difficult for the attacker to know what he is looking for in his code, by default he is only looking for the word apiKey that he finds in the Minimized code all access information.