Firebase pre-launch security checklist
Firebase Security Rules are the entire security perimeter for client-driven Firebase apps. Default-allow rules in starter templates are still the #1 cause of public Firestore datasets. Walk this list and verify each rule with the Firebase Emulator before launch.
11 checks
Tick through each one
Click any item to open the detailed fix guide. The detector tag shows which scanner module flips the state pass or fail when you run a SafeToShip scan.
Firestore rules deny by default with scoped allows
CriticalDetector: firebase
Storage rules deny anonymous read/write
CriticalDetector: firebase
App Check enabled and ENFORCED for production
HighDetector: firebase
Service account JSON in secret manager, not committed
CriticalDetector: js-secrets
Firebase config object only contains expected public values
LowDetector: js-secrets
CSP allows firebaseapp.com / firebaseio.com
HighDetector: headers
HSTS via firebase.json hosting headers
HighDetector: headers
Cookies Secure + HttpOnly + SameSite
HighDetector: cookies
Custom Cloud Functions allowlist origins
HighDetector: cors
Cloud Functions rate-limit hot endpoints
MediumDetector: rate-limit
Valid TLS (Firebase Hosting auto)
HighDetector: ssl
Paste this into Firebase
One prompt that runs the entire checklist as a code review pass.
Audit my Firebase project: replace default-allow Firestore and Storage rules with deny-by-default + per-document scoped allows using request.auth.uid, enable App Check and ENFORCE it (not just register), keep service-account JSON in a secret manager, ensure the Firebase config object only contains apiKey/authDomain/projectId (no secret data), set CSP allowing firebaseapp.com and firebaseio.com, set HSTS via firebase.json hosting.headers, set Secure+HttpOnly+SameSite on session cookies, allowlist CORS origins on custom Cloud Functions, rate-limit hot Cloud Functions endpoints, and verify TLS.FAQ
Frequently asked questions
- What is the difference between App Check enabled and enforced?
- Enabled = your app sends App Check tokens. Enforced = Firebase rejects requests without tokens. Many teams enable but forget to enforce, which means abuse traffic still gets through. Toggle "Enforce" in the App Check dashboard.
- Can I test Security Rules locally?
- Yes — firebase emulators:start --only firestore + the Rules Playground. Test as anonymous user, signed-in user, and admin. If anonymous can read or write anything you did not intend, fix the rules before deploy.
Per-issue depth
Fix guides for this checklist
Firebase rules too permissive
Firestore rules that allow unauthenticated reads or writes leave your database open to anyone. Here is how to write rules that actually protect your data.
Read moreFirebase config issues
The Firebase config in your client code is fine to expose — but only if your rules are strict. Here is how to tell the difference between safe exposure and a leak.
Read moreCORS allows all origins
An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.
Read moreRun the scan to confirm each check
60 seconds. Free. No account required.