Firebase
Security Checklist

Firebase Security Checklist

Last updated: April 20, 2026

The single most common Firebase security failure in production is shipping with the default test-mode rules ("allow read, write: if true"). This checklist starts there and walks through the 13 checks every Firebase app should pass before launch — 3 critical, 3 auto-scannable.

13
Total Items
3
Critical
3
Auto-Scanned
Auto-Scan 3 ItemsFirebase Security Guide

Why This Security Checklist Matters

Security checklists serve as systematic guides for identifying vulnerabilities that might otherwise be overlooked during rapid development cycles. For Firebase applications specifically, this checklist addresses the most common security gaps that emerge when using AI-assisted development workflows.

Research from multiple security organizations indicates that approximately 80% of AI-built applications contain at least one exploitable vulnerability at launch. The vulnerabilities are often predictable—they follow patterns that this checklist is designed to catch. By systematically reviewing each item, you significantly reduce the risk of launching an insecure application.

Unlike generic security checklists, this guide focuses specifically on vulnerabilities prevalent in Firebase applications. Each item has been prioritized based on real-world attack patterns and the potential impact of exploitation. Critical items should be addressed before any production deployment.

Critical Priority

Critical items can lead to complete application compromise, data breaches, or unauthorized access to all user accounts. These must be addressed before deploying to production. Attackers actively scan for these vulnerabilities.

High Priority

High priority items represent significant security risks that could allow unauthorized access to sensitive data or functionality. While not immediately catastrophic, these vulnerabilities should be fixed as soon as possible.

Medium/Low Priority

Medium and low priority items strengthen your overall security posture. While they may not be immediately exploitable, addressing them prevents attack chains and defense-in-depth gaps.

Manual vs Automated Security Checking

While manual security reviews are thorough, they're time-consuming and prone to human error. Automated scanning catches common vulnerabilities instantly, freeing you to focus on business logic and complex security decisions.

Items VAS Automates

  • Exposed API keys and secrets in JavaScript bundles
  • HTTP security header configuration
  • Supabase RLS policy testing
  • Firebase Security Rules validation
  • Cookie security attributes

Manual Review Still Required

  • Business logic vulnerabilities
  • Custom authentication implementations
  • Access control logic in API routes
  • Data validation requirements
  • Third-party integration security

Security Rules

critical

Remove test mode rules

Auto

Never deploy 'allow read, write: if true'

critical

Check authentication in rules

Auto

Verify request.auth != null

high

Validate data structure

Check data types and fields

high

Test with emulator

Verify rules before deployment

Credential Security

medium

Client config is public

Firebase config in frontend is OK

critical

Service account server-only

Auto

Never expose admin SDK credentials

medium

Restrict API key

Configure API restrictions in Google Cloud

Authentication

high

Enable email verification

Require users to verify email

medium

Configure sign-in methods

Only enable needed providers

medium

Set up app verification

Protect against abuse

Storage Security

high

Write storage rules

Don't leave storage open

medium

Validate file types

Restrict uploadable file types

low

Set size limits

Prevent abuse via large uploads

Explore Related Resources

Don't Check Manually

VAS automatically checks 3 of these 13 items. Get instant results with detailed remediation guidance.

Run Automated Security Scan

Frequently Asked Questions

How do I know if I'm still in test mode?

Check Firebase Console > Firestore > Rules. Test mode rules contain 'allow read, write: if true' or have a timestamp check that may have expired. Firebase shows a warning banner when test mode is active.

Is Firebase client config really safe to expose?

Yes, Firebase client configuration (apiKey, authDomain, projectId) is designed to be public. Security comes from Security Rules, not from hiding the config. The apiKey only identifies your project to Google services - it doesn't grant access.

More on Firebase Security

Every angle of Firebase security — from the specific findings we detect to step-by-step fixes.

Firebase Security Scanner

Hub page: scan your Firebase app for vulnerabilities.

Firebase Security Risks

Specific risks we find in Firebase apps, with real-world examples.

Firebase Security Issues

Issues grouped by severity with detection and fix steps.

Firebase Best Practices

Remediation playbook derived from Firebase's actual failure modes.

Is Firebase Safe?

Honest assessment of Firebase's production readiness.

How to Secure Firebase Apps

Step-by-step hardening guide for Firebase deployments.

Can Firebase Apps Be Hacked?

Attack vectors specific to Firebase and how they get exploited.

Related Security Resources

Firebase SecurityHow to Secure FirebaseIs Firebase Safe?

Similar Platforms

Supabase ChecklistBolt.new ChecklistLovable Checklist