FIREBASE STUDIO

Step-by-step guide to securing your Firebase Studio development environment and the applications you build with it.

Firebase Studio Security Context

Firebase Studio (Google’s IDX-derived AI dev environment) generates full-stack apps with Gemini and wires them into Firebase by default. The IDE itself is sandboxed — your code lives on Google’s infrastructure during development. The output, however, is a normal Firebase app with all the same risks: open Firestore rules, missing App Check, exposed Cloud Function URLs, and OAuth redirect lists that include the *.cloudworkstations.dev URL from development.

Security Checklist

1. Review Firestore security rules (Critical)

Open firestore.rules. The Studio default for new projects is “test mode,” which is allow read, write: if request.time < timestamp.date(2026, X, X); — read as “publicly readable until this date.” Replace with real predicates:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth.uid == userId;
    }
    match /posts/{postId} {
      allow read: if request.auth != null;
      allow write: if request.auth.uid == resource.data.author_id;
    }
  }
}

Then firebase deploy --only firestore:rules. Verify with the Firebase Scanner.

2. Disable test mode before deploying (Critical)

In Firebase Console → Firestore → Rules: confirm there is no if request.time < timestamp.date(...) clause. Test mode is fine during development; left enabled in production it is a public database with a delayed expiry — and the expiry usually arrives after launch, when nobody is watching.

3. Audit Firebase Authentication setup (Critical)

In Firebase Console → Authentication → Settings: enable email enumeration protection. Under Sign-in method: disable “Anonymous” unless you specifically use it (anonymous accounts accumulate forever and can become a bypass surface). Under Templates: confirm the email-verification template is enabled and the action URL points to your production domain, not the cloudworkstations preview.

4. Secure Cloud Functions (Critical)

Every callable function must check context.auth.uid before doing work:

exports.updateProfile = functions.https.onCall((data, context) => {
  if (!context.auth) throw new functions.https.HttpsError('unauthenticated', 'Login required');
  const uid = context.auth.uid;
  // ...
});

For HTTP functions, use req.headers.authorization and admin.auth().verifyIdToken(token). Studio’s generated functions sometimes ship the auth check in a comment but not the code — read the actual handler, not the docstring.

5. Enable App Check (Critical)

In Firebase Console → App Check → Apps: register your app with reCAPTCHA Enterprise (web) or Play Integrity (Android) / DeviceCheck (iOS). Enable enforcement for Firestore, Storage, and Functions. App Check is the difference between “anyone can hit your Firestore from a script” and “only requests from your real app are accepted.”

6. Lock down Cloud Storage rules

Default Studio storage rules: allow read, write: if request.auth != null; — any logged-in user can read/write any file. Tighten:

match /users/{userId}/{allPaths=**} {
  allow read, write: if request.auth.uid == userId;
}

And add a max-size predicate (request.resource.size < 5 * 1024 * 1024) to prevent quota exhaustion.

7. Restrict the Firebase API key

Firebase web API keys are public-by-design — they identify the project, not authenticate it. But you should still restrict them in Google Cloud Console → APIs & Services → Credentials → [API key]: limit to specific HTTP referrers (your production domain), and limit to the specific Firebase APIs you use. Reduces the blast radius of accidental scraping.

8. Enable Cloud Audit Logs

In Google Cloud Console → IAM → Audit Logs: enable Data Read / Data Write logging for Firestore and Storage. The default is Admin-only, which means user-data reads aren’t logged — and you can’t investigate an incident you can’t see.

9. Configure CORS on Functions and Storage

For HTTP functions, set CORS in the function code (cors({ origin: 'https://yourapp.com' })), not '*'. For Storage, set the CORS config via gsutil cors set cors.json gs://your-bucket with your production origin only.

10. Review Realtime Database rules (if used)

If you use RTDB alongside Firestore, the rules language is different and the defaults are similarly permissive. Apply the same ownership-keyed predicates: ".read": "auth.uid === $userId".

11. Move secrets to Secret Manager

Stop hardcoding Stripe / SendGrid / OpenAI keys in functions/src/. Use Google Secret Manager: firebase functions:secrets:set STRIPE_SECRET_KEY, then process.env.STRIPE_SECRET_KEY from inside the function. Secrets stored this way are never logged in deploy output and rotate with one command.

12. Audit Gemini-suggested dependencies

Run npm audit in functions/ after Gemini adds packages. Suggestions can include outdated versions or hallucinated names — the Package Hallucination Scanner covers the AI-specific subset.

13. Enable Cloud Armor for production

For production HTTP functions / Cloud Run: front them with a load balancer and enable Cloud Armor with the OWASP Top 10 preconfigured WAF rules. This is the cheapest DDoS / bot mitigation for a Firebase-stack app.

14. Audit OAuth redirect URIs

In Authentication → Sign-in method → [Google / GitHub / etc.] → Authorized domains: remove any cloudworkstations.dev or preview URLs. An extra redirect in the list is an account-takeover surface — see SSRF / open redirect / OAuth.

15. Set up monitoring alerts

In Google Cloud → Monitoring → Alerting: alert on Firestore read/write spikes, Function error rate, and Auth signup spikes. Enable Crashlytics for client-side errors. The point isn’t dashboards — it’s getting paged when an attacker starts probing.

16. Run an automated security scan

The Firebase Scanner covers the rules side; the full VibeEval scan adds Function endpoint coverage, BOLA, and webhook trust.

Related Resources

Firebase Guide

Deep-dive on Firestore / Storage / Auth security.

Free Self-Audit Suite

Five free scanners.

Vibe Coding Security Risk Guide

Full risk catalogue.

Automate Your Security Checks

VibeEval scans your Firebase Studio app and its Firebase backend against every category above plus 305 more probes — including App Check coverage, function-level auth, and storage rule depth.