Bolt + Firebase pre-launch security checklist
A Bolt-generated Firebase app frequently lands with read/write rules set to true for the whole database. Combined with auth misconfiguration, that is a public dataset waiting for indexers. Walk this checklist before launch.
11 checks
Tick through each one
Click any item to open the detailed fix guide. The detector tag shows which scanner module flips the state pass or fail when you run a SafeToShip scan.
Firestore rules deny by default; allow scoped per-doc
CriticalDetector: firebase
Cloud Storage rules deny anonymous read/write
CriticalDetector: firebase
Service-account JSON not bundled or committed
CriticalDetector: js-secrets
Firebase config object only contains public fields
LowDetector: js-secrets
App Check enabled to prevent off-app abuse
MediumDetector: firebase
.env not exposed at /.env
CriticalDetector: exposed-files
Custom Cloud Functions allowlist origins
HighDetector: cors
CSP allows Firebase domains, blocks unrelated inline scripts
HighDetector: headers
HSTS set at the hosting layer
HighDetector: headers
Session cookies Secure + HttpOnly
HighDetector: cookies
Valid TLS, no mixed content
HighDetector: ssl
Paste this into Bolt
One prompt that runs the entire checklist as a code review pass.
Audit my Bolt + Firebase app: replace the default-allow Firestore and Storage rules with per-document scoped policies (e.g. allow read, write: if request.auth != null && request.auth.uid == resource.data.ownerId), confirm no service-account JSON file is committed or bundled, ensure the Firebase config object only contains the public apiKey + projectId values, enable App Check for client-only access, prevent .env exposure, allowlist CORS origins on custom Cloud Functions, set CSP/HSTS at the hosting layer, set Secure+HttpOnly on session cookies, and confirm TLS validity.FAQ
Frequently asked questions
- Are Firebase API keys actually public?
- Yes — the apiKey in firebaseConfig is designed to identify your project, not authenticate. Anyone can have it. Security comes from Firestore/Storage rules and App Check, not the key.
- Do I need App Check?
- For consumer apps, yes. App Check verifies traffic comes from your registered app, not curl scripts. Without it, attackers can hammer your Firestore rules from any client and burn quota.
Per-issue depth
Fix guides for this checklist
Firebase rules too permissive
Firestore rules that allow unauthenticated reads or writes leave your database open to anyone. Here is how to write rules that actually protect your data.
Read moreFirebase config issues
The Firebase config in your client code is fine to expose — but only if your rules are strict. Here is how to tell the difference between safe exposure and a leak.
Read moreCORS allows all origins
An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.
Read moreRun the scan to confirm each check
60 seconds. Free. No account required.