Firebase

Firebase Security Best Practices

Secure your Firebase application with these essential practices. From Security Rules to proper authentication.

Verify your app follows these best practices automatically.

Firebase provides flexible security through Security Rules, but misconfiguration is common. These practices help you secure your Firebase resources properly.

Quick Wins

Review Firestore Rules for 'allow read, write: if true'

Check Storage Rules for public read/write access

Restrict API keys in Google Cloud Console

Enable email verification for Auth

Test rules with Firebase Rules Simulator

Security Best Practices

#1Write Restrictive Security Rules

critical

Never use 'allow read, write: if true;' in production. Every rule should validate authentication and authorization.

Implementation

Write rules that check auth.uid and resource ownership for each operation

Don't do this

match /users/{userId} {
  allow read, write: if true;  // Anyone can access
}

Do this instead

match /users/{userId} {
  allow read, write: if request.auth != null 
    && request.auth.uid == userId;
}

#2Restrict API Key Usage

critical

Firebase API keys are designed to be public, but you should restrict them to your domains and enable only needed APIs.

Implementation

In Google Cloud Console, restrict API key to your domain and specific Firebase APIs

#3Validate Data in Security Rules

high

Check data types, sizes, and required fields in Security Rules, not just authentication.

Implementation

Add validation rules like request.resource.data.title.size() < 100

#4Use Firebase Authentication

high

Firebase Auth integrates with Security Rules via request.auth. Custom auth loses this integration.

Implementation

Use Firebase Auth SDK, reference request.auth in Security Rules

#5Secure Cloud Storage Buckets

high

Storage buckets need their own Security Rules. Default rules are often too permissive.

Implementation

Write Storage Rules that validate file types, sizes, and user ownership

#6Enable App Check

medium

App Check verifies requests come from your legitimate app, preventing API abuse.

Implementation

Enable App Check in Firebase Console and enforce in Security Rules

Common Mistakes to Avoid

Using 'if true' rules in production

Why it's dangerous:

Allows anyone to read and write any data

How to fix:

Always require authentication and ownership verification

Unrestricted API keys

Why it's dangerous:

Allows abuse from any domain, increasing costs and risk

How to fix:

Restrict API keys to your domains in Google Cloud Console

Not validating data in rules

Why it's dangerous:

Allows malformed or malicious data to be stored

How to fix:

Add size limits, type checks, and required field validation in rules

Verify Your Firebase App Security

Following best practices is the first step. Verify your app is actually secure with a comprehensive security scan.

Get Starter Scan

Frequently Asked Questions

Is my Firebase API key secret?

No, Firebase API keys are designed to be public. Security is enforced by Security Rules and API key restrictions. Never rely on hiding the API key for security.

How do I test my Security Rules?

Use the Firebase Rules Simulator in the Console, or write unit tests with @firebase/rules-unit-testing. Test both allowed and denied scenarios.

Can someone access my database with just the API key?

Only if your Security Rules allow it. With proper rules, the API key alone cannot access any data - authentication and authorization are still required.

Related Firebase Security Resources

Firebase Security Overview Firebase Security Issues Firebase Security Risks Is Firebase Safe?

Similar Platforms

Supabase Best Practices Bolt.new Best Practices Lovable Best Practices

Last updated: January 2026