Built with Firebase?

Security scanning for Firebase apps

Firebase makes real-time apps easy, but misconfigured Firestore rules and open Storage buckets are the top security issues we find in Firebase projects.

Free scan. No account required.

Common issues

Top vulnerabilities in Firebase apps

These are the three most common security issues we find when scanning Firebase projects.

Firestore security rules allowing unauthenticated reads and writes

Firebase API keys exposed in client code with overly permissive access

Cloud Storage buckets with public listing enabled for all files

How it works

60-second security audit

01

Paste your URL

Enter your Firebase app URL. We handle the rest.

02

Get your score

10 security modules run in parallel against your live site.

03

Fix with AI prompts

Copy the fix prompts into your AI tool and ship secure.

10 security modules, one scan

Every scan checks security headers, SSL/TLS, exposed files, JavaScript secrets, Supabase & Firebase configs, CORS, cookies, email security, and tech detection.

See all security checks

Fix guides for Firebase

Common Firebase security fixes

Firebase rules too permissive

Firestore rules that allow unauthenticated reads or writes leave your database open to anyone. Here is how to write rules that actually protect your data.

Read more

Firebase config issues

The Firebase config in your client code is fine to expose — but only if your rules are strict. Here is how to tell the difference between safe exposure and a leak.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Read more

FAQ

Firebase security FAQ

Is it OK that my Firebase config is in my HTML?
Yes — the web config (apiKey, authDomain, projectId) is public by design. What matters is that your Firestore and Storage rules require authentication and scope access to the right user.
How do I know if my Firestore rules are too permissive?
Open Firebase Console → Firestore → Rules. Look for `allow read` or `allow write: if true` — those are wide open. Rules should reference `request.auth` and check ownership fields like `authorId` or `userId`.

Scan your Firebase app now

Find security issues before your users do. It takes 60 seconds and your first scan is free.