Firebase Security Rules provide robust, completely customizable protection for your data in Cloud Firestore, Realtime Database, and Cloud Storage. You can easily get started with Rules following the steps in this guide, securing your data and protecting your app from malicious users.
Understand the Firebase Security Rules language
Before you start writing rules, it's worthwhile to take some time to review
the specific Firebase Security Rules language for the Firebase products you're using.
Realtime Database leverages a JavaScript-like syntax and JSON structure for its
Rules. Alternately, Cloud Firestore and Cloud Storage leverage a superset
of the Common Expression Language (CEL) that relies on match and allow
statements that set a condition for access at a defined path.
Learn more about the Firebase Security Rules language.
Set up Authentication
If you haven't done it already, identify your users with Firebase Authentication. Firebase Authentication supports many common authentication methods and integrates with Firebase Security Rules to provide comprehensive verification capabilities.
You can set up additional, custom authentication information for your app.
Learn more about Firebase Security Rules and Firebase Authentication.
Define your data and rules structures
The way you structure your data might affect the way you structure and implement your rules. As you define your data structures, consider the implications they might have on your Rules structure.
For example, in Cloud Firestore, you might want to include a field that denotes a specific role for each user. Then, your rules can read that field and use it to grant role-based access.
As you define your data and rules architectures, keep in mind that, if any rule grants access to a dataset, Firebase Security Rules grants access to that dataset. In other words, you can't refine access at a subpath if you've granted access at a higher level in your data hierarchy.
Access your rules
To view your existing Rules, use either the Firebase CLI or the Firebase console. Make sure you edit your rules using the same method, consistently, to avoid mistakenly overwriting updates. If you're not sure whether your locally defined rules reflect the most recent updates, the Firebase console always shows the most recently deployed version of your Firebase Security Rules.
To access your rules from the Firebase console, select your project, then navigate to Realtime Database, Cloud Firestore or Storage. Click Rules once you're in the correct database or storage bucket.
To access your rules from the Firebase CLI, go to the rules file noted in your firebase.json file.
Write basic rules
As you're developing your app and understanding Rules, try implementing a few basic Security Rules, including the following use cases:
- Content-owner only: Restrict access to content by user.
- Mixed access: Restrict write access by user, but allow public read access.
- Attribute-based access: Restrict access to a group or type of user.
Test your rules
To fully validate your app's behavior and verify your Firebase Security Rules
configurations, use the Firebase Emulator to run and automate unit
tests in a local environment.
If you're setting up your Firebase Security Rules in the Firebase console, you can use the Firebase Rules Simulator to quickly validate behavior. However, we recommend more thorough testing with the Firebase Emulator before you deploy your changes to production.
Deploy rules
Use the Firebase console or the Firebase CLI to deploy your rules to production. Follow the steps outlined in Manage and deploy Firebase Security Rules.