First question: I would like to limit the use of Google APIs (quotas) in order to avoid high expenses.
For the Google Maps APIs it is very simple to limit them.
On the other hand in the case of Google Cloud Functions there is no way to limit them, given that we necessarily move to a paid plan, and that someone could use my Firebase config so I set up securities:
I limit the API web key only to the necessary APIs (cloud functions, appcheck, recaptcha).
I use an instance maximum of 1 for each function.
I set up AppCheck with reCaptcha Enterprise.
I added enforceAppCheck on cloud functions.
But how to properly secure AppCheck? In fact the charges depends only on reCaptcha (paying after 1 million requests). Except that there is nothing that can prevent someone from retrieving my firebase config and making requests to appcheck, am I wrong?
In the api, reCaptcha enterprise, quotas page, what quotas should be modified to be sure to never reach 1 million? Or to avoid someone to steal my config and do requests?
Second question: I integrated AppCheck with this (tutorial), but for debug I follow this and it doesn't work. I have this error (Failed to load resource: the server responded with a status of 403)...
I added FIREBASE_APPCHECK_DEBUG_TOKEN, I retrieved the key and added it to firebase.