What are Firebase security best practices?

The best practices specific to Firebase (not generic OWASP)

Every "security best practices" list tells you to use HTTPS and rotate keys. Those are table stakes. The list below is what actually matters for Firebase apps, based on the risks that appear in real Firebase deployments.

1. Replace test rules immediately

*Why:* Security Rules allowing all reads/writes, often forgotten after development. *Do this:* Replace test rules immediately. Use firebase emulator to test production rules.

2. Add request

*Why:* Rules check if user is logged in but not if they own the data. *Do this:* Add request.auth.uid == userId checks to all document access rules.

3. Admin SDK is server-only

*Why:* Service account JSON in frontend code grants full admin access. *Do this:* Admin SDK is server-only. Remove from client code immediately.

4. Write storage

*Why:* Cloud Storage with permissive rules allows malicious uploads. *Do this:* Write storage.rules with proper auth checks and file type validation.

5. Add data validation in rules: request

*Why:* Rules check auth but don't validate data structure or types. *Do this:* Add data validation in rules: request.resource.data.keys().hasOnly([...])

Firebase-specific: treat test-mode rules as a security bug

Firebase's 30-day test-mode countdown has ended the data lifespan of many Firebase apps. Your Firestore and Storage rules must enforce `request.auth.uid == resource.data.uid` (or equivalent) before first production traffic — not after a user reports a bug.

Verification

Even perfect best practices don't prove themselves — the only way to confirm the list above is implemented is to scan a deployed Firebase app. VAS probes each of security rules, credential exposure, auth configuration, security headers by actually attempting the attack, not just reading headers or docs.