How to Secure Your Firebase App
Last updated: April 20, 2026
Firebase is powerful but requires explicit security configuration. This guide covers the essential Security Rules and auth settings for production Firebase apps.
Why Security Matters for Firebase
Key Security Concerns
Security Strengths
Step-by-Step Security Guide
1. Replace Test Mode Rules
Never deploy with test mode rules. They allow anyone to read/write your entire database.
// BAD - Test mode
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}2. Write Proper Security Rules
Rules should check authentication and validate data structure.
// GOOD - Production rules
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, write: if request.auth != null
&& request.auth.uid == userId;
}
}
}3. Protect Admin Credentials
Service account keys should never be in client code. Use them only in Cloud Functions or server environments.
4. Test Rules with Emulator
Use Firebase Emulator to test your Security Rules before deploying.
5. Configure Auth Settings
Enable email verification, configure OAuth providers securely, and set up proper password policies.
6. Validate with VAS
Scan your deployed app to verify rules are working as expected.
Common Security Mistakes
Avoid these common Firebase security pitfalls:
Known Firebase Vulnerabilities
These are documented security issues specific to Firebase applications. Click through for detailed remediation guidance.
Recommended Security Tools
Use these tools to maintain security throughout development:
Ready to Secure Your App?
Security is an ongoing process, not a one-time checklist. After implementing these steps, use VAS to verify your Firebase app is secure before launch, and consider regular scans as you add new features.
Frequently Asked Questions
How do I know if my Firebase rules are in test mode?
Check Firebase Console > Firestore > Rules. Test mode rules contain 'allow read, write: if true' or check if date is before a timestamp. Firebase also shows a warning banner when test mode is active. VAS can detect test mode rules in deployed apps.
What's the difference between authentication and authorization in Firebase rules?
Authentication: 'request.auth != null' (user is logged in). Authorization: 'request.auth.uid == userId' (user can only access their own data). Always check BOTH - authentication alone means any logged-in user can access any data.
Can I test Firebase rules without deploying?
Yes! Use Firebase Emulator Suite: 'firebase emulators:start'. Write unit tests with @firebase/rules-unit-testing. Test positive cases (user can access own data) AND negative cases (user cannot access others' data, anon users blocked).
Why does my Firebase app work locally but not in production?
Common cause: you're using test mode rules locally but deployed stricter rules. Or you're signed in locally but not handling the auth state properly in production. Check browser console for Firebase permission errors and compare your rules.
Explore Related Resources
Related Guides
Related Vulnerabilities
More on Firebase Security
Every angle of Firebase security — from the specific findings we detect to step-by-step fixes.
Firebase Security Scanner
Hub page: scan your Firebase app for vulnerabilities.
Firebase Security Risks
Specific risks we find in Firebase apps, with real-world examples.
Firebase Security Issues
Issues grouped by severity with detection and fix steps.
Firebase Best Practices
Remediation playbook derived from Firebase's actual failure modes.
Is Firebase Safe?
Honest assessment of Firebase's production readiness.
Firebase Security Checklist
Pre-launch checklist covering every finding class for Firebase.
Can Firebase Apps Be Hacked?
Attack vectors specific to Firebase and how they get exploited.