I am trying the JS SDK of Firebase, naturally, I picked up the provided example and started to dive in.

The example code is for e-mail sign in, hosting on Firebase.

What surprise me is that all password-compliance is made client-side:

...
    function toggleSignIn() {
      if (firebase.auth().currentUser) {
        // [START signout]
        firebase.auth().signOut();
        // [END signout]
      } else {
        var email = document.getElementById('email').value;
        var password = document.getElementById('password').value;
        if (email.length < 4) {
          alert('Please enter an email address.');
          return;
        }
        if (password.length < 4) {
          alert('Please enter a password.');
          return;
        }
...

What mecanism prevent someone from opening the code in the console, removing the check, and registering under a empty string as e-mail/password?

Searching for firebase security only tell me that everything is made in HTTPS, and that server-side rules are customizable to prevent anyone not signed in from editing the DB, but what about this?

The sample code you link to is from the documentation of the Firebase email+password authentication provider. I recommend reading the documentation page too, instead of just the sample code in isolation.

When I try to create a user with a short password (123), the Firebase Authentication server responds with:

{code: "auth/weak-password", message: "The password must be 6 characters long or more."}

As you can see, the server validates the strength of the password too.

It is quite common to perform validations both client and server side.

• Validations must be performed on the server to ensure that they can't be hacked around, as you said.
• By also validating the values client-side, you can ensure a better user experience. In this example: you can prevent the need for a round-trip to the server in case the user enters an invalid email address.