What is Firebase?

Firebase is a Google-owned backend-as-a-service offering Firestore (document database), Authentication, Cloud Storage, and related tools. Like Supabase, Firebase talks directly to the client — security is enforced by Firestore and Storage rules, not by a middle-tier API.

In more detail

Firebase config (apiKey, authDomain, projectId) is public by design — you put it in your client code. What matters is your Firestore and Storage rules. A rule like `allow read, write: if true;` means the entire internet has full access to that collection.

Rules are written in a Firebase-specific DSL that references `request.auth`, `resource.data`, and other context. The most common mistake is forgetting to tighten rules after the initial "test mode" period expires.

Why this matters

Why builders care

Firebase tutorials often start with open rules for demo purposes. AI-built apps sometimes inherit those rules and ship them. An open Firestore collection means anyone can read or delete your entire database.

Fix guides

Fix Firebase issues

Firebase rules too permissive

Firestore rules that allow unauthenticated reads or writes leave your database open to anyone. Here is how to write rules that actually protect your data.

Read more

Firebase config issues

The Firebase config in your client code is fine to expose — but only if your rules are strict. Here is how to tell the difference between safe exposure and a leak.

Read more

See where your site stands

Paste a URL, get a score in 60 seconds. Free, no signup.