How to Secure Your Firebase App
Firebase provides authentication, real-time database, Firestore, Cloud Functions, and hosting. Each service has its own security configuration. This guide covers every layer of Firebase security, from Security Rules to API key restrictions and Cloud Functions hardening.
Find security issues automatically before attackers do.
Follow These Steps
Lock down Firestore Security Rules
Replace default open rules with restrictive rules that scope access to authenticated users and their own data.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
match /posts/{postId} {
allow read: if request.auth != null;
allow create: if request.auth != null
&& request.resource.data.authorId == request.auth.uid;
allow update, delete: if request.auth != null
&& resource.data.authorId == request.auth.uid;
}
match /{document=**} {
allow read, write: if false;
}
}
}Secure Realtime Database rules
If you use Realtime Database, configure rules to restrict access. The default rules in test mode allow anyone to read and write everything.
// database.rules.json
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
},
"messages": {
".read": "auth != null",
"$messageId": {
".write": "auth != null && newData.child('authorId').val() === auth.uid"
}
}
}
}Configure Storage Security Rules
Set up rules that restrict file uploads by type, size, and ownership.
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /users/{userId}/{fileName} {
allow read: if request.auth != null;
allow write: if request.auth != null
&& request.auth.uid == userId
&& request.resource.size < 5 * 1024 * 1024
&& request.resource.contentType.matches('image/.*');
}
match /{allPaths=**} {
allow read, write: if false;
}
}
}Restrict API keys in Google Cloud Console
Firebase API keys are public by design, but restricting them prevents quota abuse and misuse.
// Steps in Google Cloud Console:
// 1. Go to APIs & Services > Credentials
// 2. Click on your Firebase API key
// 3. Set Application restrictions to "HTTP referrers"
// 4. Add your domain: yourdomain.com/*
// 5. Set API restrictions to only the Firebase APIs you use
// 6. SaveCreate separate API keys for web and mobile. Restrict each to the appropriate platform.
Validate data in Cloud Functions
Cloud Functions should validate all input and check authentication before performing operations.
import * as functions from 'firebase-functions/v2'
import { z } from 'zod'
const Schema = z.object({
title: z.string().min(1).max(200),
content: z.string().min(1).max(10000)
})
export const createPost = functions.https.onCall(async (request) => {
if (!request.auth) {
throw new functions.https.HttpsError('unauthenticated', 'Login required')
}
const data = Schema.safeParse(request.data)
if (!data.success) {
throw new functions.https.HttpsError('invalid-argument', 'Invalid data')
}
// Safe to process
})Enable App Check
App Check verifies that requests come from your legitimate app, not from scripts or other unauthorized clients.
import { initializeAppCheck, ReCaptchaEnterpriseProvider } from 'firebase/app-check'
const appCheck = initializeAppCheck(app, {
provider: new ReCaptchaEnterpriseProvider('SITE_KEY'),
isTokenAutoRefreshEnabled: true
})Harden authentication settings
In Firebase Console, go to Authentication > Settings. Enable email enumeration protection, configure password policy, and disable unused sign-in providers.
Enable multi-factor authentication for admin accounts that access the Firebase Console.
Deploy rules and scan
Deploy your security rules and run a VAS scan to verify everything is configured correctly.
# Deploy all security rules
firebase deploy --only firestore:rules,storage,database
# Then scan your live app with VASWhat You'll Achieve
Your Firebase app now has locked-down Security Rules for Firestore, Realtime Database, and Storage. API keys are restricted, Cloud Functions validate all input, App Check is enabled, and authentication is hardened.
Common Mistakes to Avoid
Mistake
Leaving test mode rules in production
Fix
Test mode rules (allow read, write: if true) give everyone full access. Always deploy restrictive rules before launch.
Mistake
Using admin SDK in client-side code
Fix
The Firebase Admin SDK bypasses Security Rules. Never use it in browser or mobile code. It belongs only in Cloud Functions or trusted servers.
Mistake
Not validating data in Security Rules
Fix
Security Rules can validate data structure and types. Use request.resource.data to check that required fields exist and have correct types.
Frequently Asked Questions
Are Firebase API keys secrets?
No. Firebase API keys are designed to be embedded in client code. They identify your Firebase project but do not grant access. Security comes from Security Rules, not key secrecy.
What is the difference between Firestore and Realtime Database rules?
They use different syntax and have different capabilities. Firestore rules support more complex conditions and data validation. Both need to be configured independently.
Can someone read my entire Firestore database?
Only if your Security Rules allow it. With properly configured rules scoping access to authenticated users and their own data, unauthorized access is blocked.
Ready to Secure Your App?
VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.
Start Security Scan