Firebase Security

Firebase Security Scanner

Automatically test your Firestore security rules and find data exposure before attackers exploit it.

Scan Your Firebase AppLearn About Firebase Security

Firebase Config is Always Public

Your Firebase API key and project ID are visible in every Firebase app. This is intentional—but security depends entirely on your Firestore rules. Without proper rules, anyone can read or write your data.

// Dangerous: Rules that allow anyone to read

rules_version = '2';

service cloud.firestore {

match /databases/{database}/documents {

match /{document=**} {

allow read, write: if true;

}

}

}

What We Scan For

Firestore Rules Testing

We attempt to read collections using your public Firebase config, testing if your security rules are properly configured.

Auth Configuration

Checks Firebase Auth settings including sign-in providers, password requirements, and email enumeration protection.

API Key Restrictions

Verifies your Firebase API key has proper restrictions and isn't exposed with overly permissive settings.

Storage Rules

Tests Firebase Storage bucket permissions to ensure uploaded files aren't publicly accessible.

Understanding Firebase Security

Designed to be Public

  • + Firebase API key (AIzaSy...)
  • + Project ID
  • + Auth domain
  • These are safe to expose

Must Be Protected

  • - Service account keys
  • - Admin SDK credentials
  • - Database data (via rules)
  • Never expose these

What You'll Get

List of exposed Firestore collections
Accessible document paths
Sample data proving exposure
Security rules recommendations
Auth configuration audit
Step-by-step fix guide
AI-ready markdown export
Re-scan to verify fixes

Frequently Asked Questions

Is it safe that my Firebase API key is visible in source code?

Yes, Firebase API keys (AIzaSy...) are designed to be public. They identify your project but don't grant access alone. Security depends on your Firestore Security Rules and Firebase Auth. However, if your rules allow 'read, write: if true', anyone can access your data.

Firebase security rules not working - how to debug?

Common issues: 1) Rules allow 'if true' (completely open), 2) Rules check auth but users aren't signed in, 3) Rules path doesn't match your data structure. Use VAS to test your actual deployed rules by attempting unauthorized reads - we'll show exactly which collections are exposed.

How to secure Firebase database from hackers?

Replace 'allow read, write: if true' with specific rules. Require authentication: 'allow read, write: if request.auth != null'. Scope to user data: 'if request.auth.uid == userId'. Test regularly with VAS to catch misconfigurations before attackers do.

Firebase vs Supabase security - which is safer?

Both are equally secure when properly configured. Firebase uses Security Rules, Supabase uses Row Level Security (RLS). Both have public client keys by design. The risk is misconfiguration - VAS scans for both Firebase and Supabase security issues.

Can someone steal my Firebase data with the API key?

Only if your Firestore Security Rules are misconfigured. The API key alone doesn't grant access - rules do. If your rules allow public read/write, anyone can access everything. Run a VAS scan to check if your Firebase data is actually protected.

Secure Your Firebase App Today

Find out if your Firestore data is exposed before someone else does.

Start Free Scan

Free scan checks security headers. Full scan tests Firestore rules.

Learn More About Firebase Security

Firebase Security GuideSupabase Security ScannerVibe Coding Security