Step-by-Step Guide
6 steps

How to Deploy Firebase Apps Securely

Before deploying your Firebase app to production, verify that Security Rules are locked down, API keys are restricted, and authentication is configured properly. This pre-deployment checklist covers every security item.

Scan Your App Now

Find security issues automatically before attackers do.

Follow These Steps

1

Replace test mode Security Rules

Verify Firestore, Realtime Database, and Storage rules are production-ready.

Code Example
# Check current rules
firebase firestore:rules:get
firebase storage:rules:get
2

Restrict API keys in Google Cloud Console

Add HTTP referrer restrictions and API restrictions to your Firebase API key.

3

Enable App Check

Add App Check to verify requests come from your legitimate app.

Code Example
import { initializeAppCheck, ReCaptchaV3Provider } from 'firebase/app-check'
initializeAppCheck(app, {
  provider: new ReCaptchaV3Provider('SITE_KEY'),
  isTokenAutoRefreshEnabled: true
})
4

Configure authentication settings

Disable unused auth providers, enable email enumeration protection, and set password requirements.

5

Deploy rules and functions together

Deploy all security rules and Cloud Functions in a single deployment.

Code Example
firebase deploy --only firestore:rules,storage,functions
6

Scan the deployed application

Run a VAS scan to verify all security configurations are active in production.

What You'll Achieve

Your Firebase app is deployed with production Security Rules, restricted API keys, App Check enabled, and authentication hardened.

Common Mistakes to Avoid

Mistake

Deploying without updating Security Rules

Fix

Always deploy rules alongside code changes. Use firebase deploy --only firestore:rules to ensure rules are current.

Mistake

Forgetting to deploy Storage rules

Fix

Storage rules are separate from Firestore rules. Deploy them with --only storage.

Frequently Asked Questions

Can I deploy rules without deploying the whole app?

Yes. Use firebase deploy --only firestore:rules to deploy just Firestore rules, or firebase deploy --only storage for Storage rules.

Related Guides

Secure Your Firebase AppAdd Security Rules to FirebaseFix Firebase API Key ExposureSecurity Audit Checklist

Ready to Secure Your App?

VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.

Start Security Scan