[{"data":1,"prerenderedAt":345},["ShallowReactive",2],{"blog-blueprints/bolt-firebase":3},{"id":4,"title":5,"body":6,"category":325,"date":326,"dateModified":326,"description":327,"draft":328,"extension":329,"faq":330,"featured":328,"headerVariant":331,"image":330,"keywords":330,"meta":332,"navigation":333,"ogDescription":334,"ogTitle":330,"path":335,"readTime":336,"schemaOrg":337,"schemaType":338,"seo":339,"sitemap":340,"stem":341,"tags":342,"twitterCard":343,"__hash__":344},"blog/blog/blueprints/bolt-firebase.md","Bolt.new + Firebase Security Blueprint",{"type":7,"value":8,"toc":304},"minimark",[9,20,24,30,35,38,90,94,99,102,117,121,130,139,143,146,155,159,163,166,175,179,188,192,196,205,209,214,217,220,223,226,229,232,235,238,251,273,292],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure a Bolt.new + Firebase stack,"," you need to: (1) replace test-mode Firestore rules with production-ready rules that verify authentication, (2) configure Storage rules if your app uploads files, (3) set up authorized domains in Firebase Auth settings, and (4) verify auth state handling persists sessions correctly. This blueprint provides platform-specific guidance for post-export security hardening.",[21,22],"blueprint-meta",{"time":23},"1-2 hours",[25,26,27],"tldr",{},[13,28,29],{},"Bolt.new generates Firebase apps with test-mode security rules that allow anyone to read and write all data. Before deploying: replace test rules with proper Firestore and Storage rules, configure Firebase Auth domains, and verify no service account keys are exposed. Test your rules with the Firebase Emulator before going live.",[31,32,34],"h2",{"id":33},"the-boltnew-firebase-security-problem","The Bolt.new + Firebase Security Problem",[13,36,37],{},"Bolt generates apps that work with Firebase's test mode:",[39,40,41,54],"table",{},[42,43,44],"thead",{},[45,46,47,51],"tr",{},[48,49,50],"th",{},"What Bolt Generates",[48,52,53],{},"Security Risk",[55,56,57,66,74,82],"tbody",{},[45,58,59,63],{},[60,61,62],"td",{},"Firebase initialization code",[60,64,65],{},"Usually correct, config is safe to expose",[45,67,68,71],{},[60,69,70],{},"Firestore queries",[60,72,73],{},"Assume permissive rules, no auth checks",[45,75,76,79],{},[60,77,78],{},"Auth integration",[60,80,81],{},"May not persist sessions properly",[45,83,84,87],{},[60,85,86],{},"Security rules",[60,88,89],{},"Often test mode or missing entirely",[31,91,93],{"id":92},"part-1-replace-firebase-test-mode-rules","Part 1: Replace Firebase Test Mode Rules",[95,96,98],"h3",{"id":97},"check-current-rules","Check Current Rules",[13,100,101],{},"In Firebase Console, check your Firestore rules:",[103,104,106],"code-block",{"label":105},"DANGEROUS: Default test mode rules",[107,108,113],"pre",{"className":109,"code":111,"language":112},[110],"language-text","rules_version = '2';\nservice cloud.firestore {\n  match /databases/{database}/documents {\n    match /{document=**} {\n      allow read, write: if true;  // World-writable!\n    }\n  }\n}\n","text",[114,115,111],"code",{"__ignoreMap":116},"",[95,118,120],{"id":119},"apply-secure-rules","Apply Secure Rules",[103,122,124],{"label":123},"firestore.rules - Production-ready rules",[107,125,128],{"className":126,"code":127,"language":112},[110],"rules_version = '2';\nservice cloud.firestore {\n  match /databases/{database}/documents {\n    // Users collection - only own document\n    match /users/{userId} {\n      allow read, update, delete: if request.auth != null\n        && request.auth.uid == userId;\n      allow create: if request.auth != null;\n    }\n\n    // Posts - public read, owner write\n    match /posts/{postId} {\n      allow read: if true;\n      allow create: if request.auth != null\n        && request.resource.data.authorId == request.auth.uid;\n      allow update, delete: if request.auth != null\n        && resource.data.authorId == request.auth.uid;\n    }\n\n    // Private user data\n    match /private/{userId}/{document=**} {\n      allow read, write: if request.auth != null\n        && request.auth.uid == userId;\n    }\n\n    // Deny everything else\n    match /{document=**} {\n      allow read, write: if false;\n    }\n  }\n}\n",[114,129,127],{"__ignoreMap":116},[131,132,133],"warning-box",{},[13,134,135,138],{},[16,136,137],{},"Deploy rules before your app:"," Firestore rules changes take effect immediately. Deploy secure rules before making your app public.",[31,140,142],{"id":141},"part-2-firebase-storage-rules","Part 2: Firebase Storage Rules",[13,144,145],{},"If your Bolt app uses Firebase Storage, secure it too:",[103,147,149],{"label":148},"storage.rules",[107,150,153],{"className":151,"code":152,"language":112},[110],"rules_version = '2';\nservice firebase.storage {\n  match /b/{bucket}/o {\n    // User uploads - restricted to own folder\n    match /users/{userId}/{allPaths=**} {\n      allow read: if request.auth != null;\n      allow write: if request.auth != null\n        && request.auth.uid == userId\n        && request.resource.size \u003C 5 * 1024 * 1024  // 5MB limit\n        && request.resource.contentType.matches('image/.*');\n    }\n\n    // Public assets (admin-uploaded only)\n    match /public/{allPaths=**} {\n      allow read: if true;\n      allow write: if false;  // Only via Admin SDK\n    }\n  }\n}\n",[114,154,152],{"__ignoreMap":116},[31,156,158],{"id":157},"part-3-authentication-setup","Part 3: Authentication Setup",[95,160,162],{"id":161},"configure-auth-domains","Configure Auth Domains",[13,164,165],{},"In Firebase Console → Authentication → Settings:",[103,167,169],{"label":168},"Authorized domains",[107,170,173],{"className":171,"code":172,"language":112},[110],"# Add your production domains:\nyourdomain.com\nwww.yourdomain.com\nyourdomain.vercel.app  # If using Vercel\n\n# Remove or limit localhost for production\n",[114,174,172],{"__ignoreMap":116},[95,176,178],{"id":177},"verify-auth-state-handling","Verify Auth State Handling",[103,180,182],{"label":181},"hooks/useAuth.ts - Check Bolt's implementation",[107,183,186],{"className":184,"code":185,"language":112},[110],"import { useEffect, useState } from 'react';\nimport { onAuthStateChanged, User } from 'firebase/auth';\nimport { auth } from '../lib/firebase';\n\nexport function useAuth() {\n  const [user, setUser] = useState\u003CUser | null>(null);\n  const [loading, setLoading] = useState(true);\n\n  useEffect(() => {\n    // This listener handles auth state persistence\n    const unsubscribe = onAuthStateChanged(auth, (user) => {\n      setUser(user);\n      setLoading(false);\n    });\n\n    return () => unsubscribe();\n  }, []);\n\n  return { user, loading };\n}\n\n// Usage: Protect routes by checking loading and user\n// if (loading) return \n// if (!user) return\n",[114,187,185],{"__ignoreMap":116},[31,189,191],{"id":190},"part-4-verify-generated-code","Part 4: Verify Generated Code",[95,193,195],{"id":194},"search-for-security-issues","Search for Security Issues",[103,197,199],{"label":198},"Commands to check exported code",[107,200,203],{"className":201,"code":202,"language":112},[110],"# Look for service account keys (should never be in client code)\ngrep -r \"private_key\" .\ngrep -r \"service_account\" .\n\n# Check for hardcoded Firebase config (usually fine, but verify)\ngrep -r \"apiKey\" . --include=\"*.ts\" --include=\"*.js\"\n\n# Find Firestore queries to review\ngrep -r \"collection\\|doc\\|setDoc\\|updateDoc\" . --include=\"*.ts\"\n",[114,204,202],{"__ignoreMap":116},[31,206,208],{"id":207},"security-checklist","Security Checklist",[210,211,213],"h4",{"id":212},"post-export-checklist-for-bolt-firebase","Post-Export Checklist for Bolt + Firebase",[13,215,216],{},"Firestore rules replaced from test mode",[13,218,219],{},"Storage rules configured (if using)",[13,221,222],{},"Auth domains configured for production",[13,224,225],{},"No service account keys in code",[13,227,228],{},"Auth state listener implemented",[13,230,231],{},"Protected routes check auth state",[13,233,234],{},"Rules tested in Firebase Emulator",[13,236,237],{},"Query patterns match rule structure",[239,240,241,245],"stack-comparison",{},[95,242,244],{"id":243},"alternative-stacks-to-consider","Alternative Stacks to Consider",[107,246,249],{"className":247,"code":248,"language":112},[110],"      **Bolt.new + Supabase**\n      PostgreSQL alternative with built-in RLS\n\n\n      **Bolt.new + React + Firebase**\n      React-specific Firebase patterns\n\n\n      **Bolt.new + Convex**\n      Real-time alternative with TypeScript functions\n",[114,250,248],{"__ignoreMap":116},[252,253,254,261,267],"faq-section",{},[255,256,258],"faq-item",{"question":257},"My Bolt app stopped working after adding rules. Why?",[13,259,260],{},"Bolt-generated queries assume permissive access. Your new rules may block queries that don't match the expected patterns. Check that queries include proper auth context and match your rule structure.",[255,262,264],{"question":263},"Is the Firebase apiKey safe to expose?",[13,265,266],{},"Yes, the client-side Firebase config (apiKey, authDomain, etc.) is designed for public exposure. Security comes from your Firestore and Storage rules, not from hiding these values.",[255,268,270],{"question":269},"How do I test rules before deploying?",[13,271,272],{},"Use the Firebase Emulator Suite locally or the Rules Playground in Firebase Console. Test authenticated access, unauthenticated access, and cross-user access attempts.",[274,275,276,282,287],"related-articles",{},[277,278],"related-card",{"description":279,"href":280,"title":281},"Similar stack with Cursor","/blog/blueprints/cursor-firebase-vercel","Cursor + Firebase + Vercel",[277,283],{"description":284,"href":285,"title":286},"Deep dive into Firebase","/blog/guides/firebase","Firebase Security Guide",[277,288],{"description":289,"href":290,"title":291},"Alternative with Supabase","/blog/blueprints/bolt-supabase","Bolt + Supabase",[293,294,297,301],"cta-box",{"href":295,"label":296},"/","Start Free Scan",[31,298,300],{"id":299},"exported-a-bolt-firebase-app","Exported a Bolt + Firebase app?",[13,302,303],{},"Scan for insecure rules and missing auth checks.",{"title":116,"searchDepth":305,"depth":305,"links":306},2,[307,308,313,314,318,321,324],{"id":33,"depth":305,"text":34},{"id":92,"depth":305,"text":93,"children":309},[310,312],{"id":97,"depth":311,"text":98},3,{"id":119,"depth":311,"text":120},{"id":141,"depth":305,"text":142},{"id":157,"depth":305,"text":158,"children":315},[316,317],{"id":161,"depth":311,"text":162},{"id":177,"depth":311,"text":178},{"id":190,"depth":305,"text":191,"children":319},[320],{"id":194,"depth":311,"text":195},{"id":207,"depth":305,"text":208,"children":322},[323],{"id":243,"depth":311,"text":244},{"id":299,"depth":305,"text":300},"blueprints","2026-01-26","Security guide for Bolt.new + Firebase stack. Configure Firestore rules, protect credentials, handle authentication, and secure your Bolt-generated Firebase app.",false,"md",null,"purple",{},true,"Complete security configuration for Firebase apps built with Bolt.new.","/blog/blueprints/bolt-firebase","10 min read","[object Object]","Article",{"title":5,"description":327},{"loc":335},"blog/blueprints/bolt-firebase",[],"summary_large_image","S9oxJq-d6np0FMp-wXyGTL2wM_SIjBtzYCx83_yvkeI",1775843932991]