Humans make mistakes.
While I'm developing my web application using the Firebase Web SDK, providing emulators using connectFunctionsEmulator (for example) a bar appears at the bottom of my web app showing me that I'm using an emulator:
Well, reactfire requires me to use production credentials before I can connect to the emulators. At least the API key. The same seems to be true for the Firebase SDK to begin with.
In fact, the message itself is a bit misleading. It means production data (passwords, real names etc) shouldn't be inputted on the web app as it would be transmitted over HTTP (source).
This is somewhat comforting, since I really don't want any part of the client to interact with production while I'm in the middle of feature development. However, I don't think it's enough.
I want to make it such that it is impossible for me to access production from the development frontend without dismantling failsafes, and for this to carry over by default to other engineers on my team.
Is this possible at the application level?
What I've tried
- HTTP Proxy
This works as expected. I'd prefer not to have to use a proxy if possible.
- Content Security Policy headers
I could be wrong, but everything I read and know about CSP is that it only works for static assets such as images, scripts, and stylesheets. I don't think it'd work for HTTP requests, right?
- Web Conditions in Chrome
This doesn't allow requests to localhost, so it's no-go. Also, it wouldn't carry on to others on my team.
- Turning my wifi off
This works too. Not really portable, though, and worse than just using a HTTP proxy.