Critical severity

How to fix open Firebase security rules

Your Firebase project has security rules that allow unauthenticated reads or writes. `allow read, write: if true;` means the internet has full access to the collection. This is common in Firebase tutorials and carries over into AI-built apps. Fix it by writing rules that require `request.auth != null` and that match the shape of your data (e.g., users can only write their own documents).

Why it matters

Firestore is accessed directly from the client using your web API key. That key is public by design — Firestore rules are the only thing between a browser and your data.

How to check

  1. 01In Firebase console, go to Firestore → Rules.
  2. 02Look for `allow read` or `allow write` with `if true` or no condition.
  3. 03Check for rules that expire: `if request.time < timestamp.date(2026, ...);` is a time-limited "open for demo" rule that stopped protecting you at that date.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Firestore rules

Write rules that require auth and scope access to the user.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Users can read/write their own document
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }

    // Posts: authenticated users can read; only author can modify
    match /posts/{postId} {
      allow read: if request.auth != null;
      allow create: if request.auth != null && request.resource.data.authorId == request.auth.uid;
      allow update, delete: if request.auth != null && resource.data.authorId == request.auth.uid;
    }

    // Default deny
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

Storage rules

Firebase Storage has its own rules. The default is often open. Lock it down similarly:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /users/{userId}/{allPaths=**} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
    match /{allPaths=**} {
      allow read, write: if false;
    }
  }
}

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My Firebase Firestore and Storage rules allow unauthenticated access. Write strict rules that: (1) require request.auth != null for all reads and writes; (2) for each collection in my app, let users only read and write their own documents based on a userId or authorId field; (3) end with a default-deny rule. Look at how my app queries Firestore to figure out the ownership field for each collection. Generate rules for both Firestore and Storage.

FAQ

Frequently asked questions

How do I test rules safely?
Use the Rules Playground in Firebase console to simulate authenticated and unauthenticated requests. Or use the emulator suite locally.
What about admin access from my backend?
The Firebase Admin SDK bypasses security rules. Use it only from server code (Cloud Functions, your own backend). Never include Admin SDK credentials in client code.

Related fix guides

Fix these too

Firebase config issues

The Firebase config in your client code is fine to expose — but only if your rules are strict. Here is how to tell the difference between safe exposure and a leak.

Read more

Supabase RLS disabled

A Supabase table without RLS is readable (and often writable) by anyone with your anon key. Here is exactly how to turn on RLS and write your first policy.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Learn the concepts

Glossary

Firebase

Google's backend-as-a-service with Firestore, Auth, and Storage. Security rules are the critical layer.

Read more

Free tools

Check this yourself

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Read more

Platform guides

Building on these platforms?

Firebase security

Firebase makes real-time apps easy, but misconfigured Firestore rules and open Storage buckets are the top security issues we find in Firebase projects.

Read more

Lovable security

Lovable makes it easy to ship fast, but AI-generated backends often ship with open Supabase tables and leaked API keys. Scan your Lovable app before your users find out.

Read more

Bolt security

Bolt generates full-stack apps in seconds, but speed can leave security gaps. Exposed environment files and missing CORS configuration are common in Bolt projects.

Read more

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.