Firebase
Security Checklist

Firebase Security Checklist

Last updated: January 12, 2026

Use this checklist to ensure your Firebase application is secure before launch. 3 critical items require immediate attention.

13
Total Items
3
Critical
3
Auto-Scanned
Auto-Scan 3 ItemsFirebase Security Guide

Security Rules

critical

Remove test mode rules

Auto

Never deploy 'allow read, write: if true'

critical

Check authentication in rules

Auto

Verify request.auth != null

high

Validate data structure

Check data types and fields

high

Test with emulator

Verify rules before deployment

Credential Security

medium

Client config is public

Firebase config in frontend is OK

critical

Service account server-only

Auto

Never expose admin SDK credentials

medium

Restrict API key

Configure API restrictions in Google Cloud

Authentication

high

Enable email verification

Require users to verify email

medium

Configure sign-in methods

Only enable needed providers

medium

Set up app verification

Protect against abuse

Storage Security

high

Write storage rules

Don't leave storage open

medium

Validate file types

Restrict uploadable file types

low

Set size limits

Prevent abuse via large uploads

Don't Check Manually

VAS automatically checks 3 of these 13 items. Get instant results with detailed remediation guidance.

Run Automated Security Scan

Frequently Asked Questions

How do I know if I'm still in test mode?

Check Firebase Console > Firestore > Rules. Test mode rules contain 'allow read, write: if true' or have a timestamp check that may have expired. Firebase shows a warning banner when test mode is active.

Is Firebase client config really safe to expose?

Yes, Firebase client configuration (apiKey, authDomain, projectId) is designed to be public. Security comes from Security Rules, not from hiding the config. The apiKey only identifies your project to Google services - it doesn't grant access.

Related Security Resources

Firebase SecurityHow to Secure FirebaseIs Firebase Safe?