Critical severity · Firebase

Firebase rules too permissive on Firebase

Your Firebase project has security rules that allow unauthenticated reads or writes. `allow read, write: if true;` means the internet has full access to the collection. This is common in Firebase tutorials and carries over into AI-built apps. Fix it by writing rules that require `request.auth != null` and that match the shape of your data (e.g., users can only write their own documents).

The fix for Firebase

Firestore rules

Write rules that require auth and scope access to the user.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Users can read/write their own document
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }

    // Posts: authenticated users can read; only author can modify
    match /posts/{postId} {
      allow read: if request.auth != null;
      allow create: if request.auth != null && request.resource.data.authorId == request.auth.uid;
      allow update, delete: if request.auth != null && resource.data.authorId == request.auth.uid;
    }

    // Default deny
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

Storage rules

Firebase Storage has its own rules. The default is often open. Lock it down similarly:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /users/{userId}/{allPaths=**} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
    match /{allPaths=**} {
      allow read, write: if false;
    }
  }
}

Why it matters

Firestore is accessed directly from the client using your web API key. That key is public by design — Firestore rules are the only thing between a browser and your data.

Confirm the fix worked

Scan your Firebase site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

My Firebase Firestore and Storage rules allow unauthenticated access. Write strict rules that: (1) require request.auth != null for all reads and writes; (2) for each collection in my app, let users only read and write their own documents based on a userId or authorId field; (3) end with a default-deny rule. Look at how my app queries Firestore to figure out the ownership field for each collection. Generate rules for both Firestore and Storage.

FAQ

Frequently asked questions

How do I test rules safely?
Use the Rules Playground in Firebase console to simulate authenticated and unauthenticated requests. Or use the emulator suite locally.
What about admin access from my backend?
The Firebase Admin SDK bypasses security rules. Use it only from server code (Cloud Functions, your own backend). Never include Admin SDK credentials in client code.

Related fix guides

Fix these too

Firebase config issues

The Firebase config in your client code is fine to expose — but only if your rules are strict. Here is how to tell the difference between safe exposure and a leak.

Read more

Supabase RLS disabled

A Supabase table without RLS is readable (and often writable) by anyone with your anon key. Here is exactly how to turn on RLS and write your first policy.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Concepts

Glossary

Firebase

Google's backend-as-a-service with Firestore, Auth, and Storage. Security rules are the critical layer.

Read more

Free tools

Spot-check this

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Read more