How to Secure Your Firebase App

Last updated: January 12, 2026

Firebase is powerful but requires explicit security configuration. This guide covers the essential Security Rules and auth settings for production Firebase apps.

Scan Your App Now Firebase Security Overview

Step-by-Step Security Guide

1. Replace Test Mode Rules

Never deploy with test mode rules. They allow anyone to read/write your entire database.

// BAD - Test mode
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

2. Write Proper Security Rules

Rules should check authentication and validate data structure.

// GOOD - Production rules
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth != null
        && request.auth.uid == userId;
    }
  }
}

3. Protect Admin Credentials

Service account keys should never be in client code. Use them only in Cloud Functions or server environments.

4. Test Rules with Emulator

Use Firebase Emulator to test your Security Rules before deploying.

5. Configure Auth Settings

Enable email verification, configure OAuth providers securely, and set up proper password policies.

6. Validate with VAS

Scan your deployed app to verify rules are working as expected.

Common Security Mistakes

Avoid these common Firebase security pitfalls:

Deploying with test mode Security Rules

Not checking request.auth in rules

Exposing service account in client code

Rules that check authentication but not authorization

Not validating data structure in rules

Recommended Security Tools

Use these tools to maintain security throughout development:

VAS Security Scanner

npm audit / yarn audit

Git-secrets

Snyk

Ready to Secure Your App?

Security is an ongoing process, not a one-time checklist. After implementing these steps, use VAS to verify your Firebase app is secure before launch, and consider regular scans as you add new features.

Start Security Scan

Frequently Asked Questions

How do I know if my Firebase rules are in test mode?

Check Firebase Console > Firestore > Rules. Test mode rules contain 'allow read, write: if true' or check if date is before a timestamp. Firebase also shows a warning banner when test mode is active. VAS can detect test mode rules in deployed apps.

What's the difference between authentication and authorization in Firebase rules?

Authentication: 'request.auth != null' (user is logged in). Authorization: 'request.auth.uid == userId' (user can only access their own data). Always check BOTH - authentication alone means any logged-in user can access any data.

Can I test Firebase rules without deploying?

Yes! Use Firebase Emulator Suite: 'firebase emulators:start'. Write unit tests with @firebase/rules-unit-testing. Test positive cases (user can access own data) AND negative cases (user cannot access others' data, anon users blocked).

Why does my Firebase app work locally but not in production?

Common cause: you're using test mode rules locally but deployed stricter rules. Or you're signed in locally but not handling the auth state properly in production. Check browser console for Firebase permission errors and compare your rules.

Related Security Resources

Firebase Security Is Firebase Safe?Firebase Security Checklist