← Back to Backend Security Resources

    Firebase Security Rules

    Complete guide to implementing Firestore security rules. Learn how to secure AI-generated Firebase databases with proper authentication, validation, and authorization rules.

    Test Mode Rules Expire After 30 Days

    Firebase projects created in test mode use allow read, write: if true rules that expire after 30 days. AI-generated projects often forget to replace these with proper security rules, leaving databases vulnerable or inaccessible after expiration.

    Firebase Security Rules Implementation Checklist

    Follow these 12 steps to properly implement Firebase security rules. Critical items must be completed for every collection and storage bucket.

    Step 1

    Secure Firestore collections with rules

    Critical

    Replace allow read, write: if true with proper authentication checks. Default Firebase rules allow unrestricted access to all data.

    Step 2

    Validate user authentication in rules

    Critical

    Use request.auth != null to require authentication. Check request.auth.uid matches document owner for user-owned data.

    Step 3

    Validate data types and structure

    Critical

    Use request.resource.data to validate incoming data matches expected schema. Check field types, required fields, and value ranges.

    Step 4

    Implement field-level validation

    Critical

    Prevent users from setting admin flags, timestamps, or system fields. Validate string lengths, number ranges, and array sizes.

    Step 5

    Protect subcollections properly

    Critical

    Security rules do not cascade to subcollections. Write explicit rules for every subcollection path.

    Step 6

    Secure Firebase Storage with rules

    Critical

    Apply authentication and size limits to Cloud Storage. Validate file types and prevent unauthorized access to user uploads.

    Step 7

    Use custom claims for role-based access

    Implement admin, moderator, or custom roles using request.auth.token for advanced permission systems.

    Step 8

    Validate timestamps and audit fields

    Use request.time for server timestamps. Prevent users from backdating records or manipulating created_at fields.

    Step 9

    Add rate limiting to expensive operations

    Limit bulk reads or writes in security rules. Consider using Cloud Functions with rate limiting for complex operations.

    Step 10

    Test rules with Firebase Emulator

    Use Firebase Emulator Suite to test security rules before deployment. Verify rules with different user roles and edge cases.

    Step 11

    Monitor security rule violations

    Enable Firebase Security Rules monitoring to detect unauthorized access attempts and rule bypasses.

    Step 12

    Document complex rule logic

    Add comments explaining business logic in security rules. Document why certain patterns are allowed or denied.

    Common Firebase Security Issues

    Default Permissive Rules

    Critical

    AI-generated Firebase projects often include allow read, write: if true for testing, left in production

    Missing Subcollection Rules

    Critical

    Rules defined for parent collection but subcollections inherit no protection, allowing unrestricted access

    No Data Validation

    High

    Rules check authentication but not data structure, allowing users to inject arbitrary fields or malicious content

    Storage Rules Forgotten

    High

    Firestore rules secured but Cloud Storage uses default permissive rules, exposing uploaded files

    Related Resources

    Firebase Security Guide

    Complete Firebase security best practices

    Database Security Best Practices

    Universal database security principles

    Authentication Implementation

    Implementing secure authentication

    Authorization Patterns

    RBAC and access control models

    Test Your Firebase Security Rules

    VibeEval automatically tests your Firebase security rules across different scenarios to identify missing rules, overly permissive conditions, and validation gaps.

    Start Free Rules Audit