[{"data":1,"prerenderedAt":387},["ShallowReactive",2],{"blog-blueprints/cursor-firebase-vercel":3},{"id":4,"title":5,"body":6,"category":367,"date":368,"dateModified":368,"description":369,"draft":370,"extension":371,"faq":372,"featured":370,"headerVariant":373,"image":372,"keywords":372,"meta":374,"navigation":375,"ogDescription":376,"ogTitle":372,"path":377,"readTime":378,"schemaOrg":379,"schemaType":380,"seo":381,"sitemap":382,"stem":383,"tags":384,"twitterCard":385,"__hash__":386},"blog/blog/blueprints/cursor-firebase-vercel.md","Cursor + Firebase + Vercel Security Blueprint",{"type":7,"value":8,"toc":348},"minimark",[9,20,24,30,35,46,51,54,110,114,118,121,131,135,138,147,156,160,163,172,176,180,219,228,232,241,245,250,253,256,259,262,265,268,271,274,277,295,317,336],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure a Cursor + Firebase + Vercel stack,"," you need to: (1) replace test-mode Firestore rules with production rules that check authentication and ownership, (2) configure Firebase Storage rules to restrict file access, (3) store the Firebase Admin SDK service account key in Vercel environment variables (never client-side), (4) create a .cursorignore file to prevent AI from accessing service account files, and (5) review AI-generated code for missing auth checks and overly permissive queries. This blueprint covers Firestore rules, Storage rules, and credential management across all three platforms.",[21,22],"blueprint-meta",{"time":23},"2-3 hours",[25,26,27],"tldr",{},[13,28,29],{},"Firebase with Cursor requires careful security rules configuration. The main risks are overly permissive Firestore rules (common in AI-generated code) and exposed service account keys. Write proper security rules before going live, use Firebase Auth for authentication, store the Firebase Admin SDK key in Vercel environment variables, and never expose it client-side.",[31,32,34],"h3",{"id":33},"platform-guides-checklists","Platform Guides & Checklists",[36,37,42],"pre",{"className":38,"code":40,"language":41},[39],"language-text","      Cursor Security Guide\n\n\n\n      Firebase Security Guide\n\n\n\n      Vercel Security Guide\n\n\n\n      Pre-Launch Checklist\n","text",[43,44,40],"code",{"__ignoreMap":45},"",[47,48,50],"h2",{"id":49},"stack-overview","Stack Overview",[13,52,53],{},"Firebase provides database, authentication, and storage in one platform. When combined with Cursor for development and Vercel for hosting, you get a powerful stack with specific security considerations:",[55,56,57,73],"table",{},[58,59,60],"thead",{},[61,62,63,67,70],"tr",{},[64,65,66],"th",{},"Component",[64,68,69],{},"Role",[64,71,72],{},"Security Focus",[74,75,76,88,99],"tbody",{},[61,77,78,82,85],{},[79,80,81],"td",{},"Cursor",[79,83,84],{},"AI code editor",[79,86,87],{},"Review generated Firebase rules",[61,89,90,93,96],{},[79,91,92],{},"Firebase",[79,94,95],{},"Database + Auth + Storage",[79,97,98],{},"Security rules, service account protection",[61,100,101,104,107],{},[79,102,103],{},"Vercel",[79,105,106],{},"Hosting",[79,108,109],{},"Environment variables, API routes",[47,111,113],{"id":112},"part-1-firestore-security-rules-firebase","Part 1: Firestore Security Rules Firebase",[31,115,117],{"id":116},"understanding-the-default-danger-firebase","Understanding the Default Danger Firebase",[13,119,120],{},"Firebase projects often start with test mode rules that allow all access. AI tools like Cursor might generate code that assumes these permissive rules:",[122,123,125],"code-block",{"label":124},"DANGEROUS: Test mode rules (never use in production)",[36,126,129],{"className":127,"code":128,"language":41},[39],"rules_version = '2';\nservice cloud.firestore {\n  match /databases/{database}/documents {\n    match /{document=**} {\n      allow read, write: if true;  // Anyone can read/write everything!\n    }\n  }\n}\n",[43,130,128],{"__ignoreMap":45},[31,132,134],{"id":133},"secure-firestore-rules-firebase","Secure Firestore Rules Firebase",[13,136,137],{},"Replace with rules that require authentication and check ownership:",[122,139,141],{"label":140},"Secure Firestore rules",[36,142,145],{"className":143,"code":144,"language":41},[39],"rules_version = '2';\nservice cloud.firestore {\n  match /databases/{database}/documents {\n    // Users can only access their own user document\n    match /users/{userId} {\n      allow read, update: if request.auth != null\n        && request.auth.uid == userId;\n      allow create: if request.auth != null;\n    }\n\n    // Posts are public to read, but only author can modify\n    match /posts/{postId} {\n      allow read: if true;\n      allow create: if request.auth != null;\n      allow update, delete: if request.auth != null\n        && request.auth.uid == resource.data.authorId;\n    }\n\n    // Private data requires authentication\n    match /private/{userId}/{document=**} {\n      allow read, write: if request.auth != null\n        && request.auth.uid == userId;\n    }\n  }\n}\n",[43,146,144],{"__ignoreMap":45},[148,149,150],"warning-box",{},[13,151,152,155],{},[16,153,154],{},"AI code risk:"," Cursor may generate Firestore queries without checking if your rules allow them. Always verify that your security rules match your application's access patterns.",[31,157,159],{"id":158},"firebase-storage-rules-firebase","Firebase Storage Rules Firebase",[13,161,162],{},"Also secure your Firebase Storage:",[122,164,166],{"label":165},"Storage security rules",[36,167,170],{"className":168,"code":169,"language":41},[39],"rules_version = '2';\nservice firebase.storage {\n  match /b/{bucket}/o {\n    // User-specific uploads\n    match /users/{userId}/{allPaths=**} {\n      allow read: if request.auth != null;\n      allow write: if request.auth != null\n        && request.auth.uid == userId\n        && request.resource.size \u003C 5 * 1024 * 1024; // 5MB limit\n    }\n\n    // Public assets (read-only)\n    match /public/{allPaths=**} {\n      allow read: if true;\n      allow write: if false; // Only through Admin SDK\n    }\n  }\n}\n",[43,171,169],{"__ignoreMap":45},[47,173,175],{"id":174},"part-2-firebase-credentials-firebase-vercel","Part 2: Firebase Credentials Firebase Vercel",[31,177,179],{"id":178},"client-vs-admin-credentials-firebase","Client vs Admin Credentials Firebase",[55,181,182,195],{},[58,183,184],{},[61,185,186,189,192],{},[64,187,188],{},"Credential Type",[64,190,191],{},"Purpose",[64,193,194],{},"Exposure",[74,196,197,208],{},[61,198,199,202,205],{},[79,200,201],{},"Firebase Config (apiKey, etc.)",[79,203,204],{},"Client-side SDK",[79,206,207],{},"Safe for public (rules protect data)",[61,209,210,213,216],{},[79,211,212],{},"Service Account JSON",[79,214,215],{},"Admin SDK (bypasses rules)",[79,217,218],{},"Never expose publicly",[122,220,222],{"label":221},"Client-side Firebase config (safe to expose)",[36,223,226],{"className":224,"code":225,"language":41},[39],"// This config is designed for client-side use\nconst firebaseConfig = {\n  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,\n  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,\n  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,\n  storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET,\n  messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID,\n  appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID\n};\n",[43,227,225],{"__ignoreMap":45},[31,229,231],{"id":230},"admin-sdk-setup-server-side-only-vercel","Admin SDK Setup (Server-Side Only) Vercel",[122,233,235],{"label":234},"Server-side Admin SDK (API route or server component)",[36,236,239],{"className":237,"code":238,"language":41},[39],"// lib/firebase-admin.ts\nimport { initializeApp, getApps, cert } from 'firebase-admin/app';\nimport { getFirestore } from 'firebase-admin/firestore';\n\nconst serviceAccount = JSON.parse(\n  process.env.FIREBASE_SERVICE_ACCOUNT_KEY || '{}'\n);\n\nif (!getApps().length) {\n  initializeApp({\n    credential: cert(serviceAccount),\n  });\n}\n\nexport const adminDb = getFirestore();\n",[43,240,238],{"__ignoreMap":45},[47,242,244],{"id":243},"security-checklist","Security Checklist",[246,247,249],"h4",{"id":248},"pre-launch-checklist-for-cursor-firebase-vercel","Pre-Launch Checklist for Cursor + Firebase + Vercel",[13,251,252],{},"Firestore security rules updated from test mode",[13,254,255],{},"Storage security rules configured",[13,257,258],{},"Service account key in Vercel env vars only",[13,260,261],{},"Service account key not in git repository",[13,263,264],{},"Firebase Auth configured with allowed domains",[13,266,267],{},"Security headers in vercel.json",[13,269,270],{},".cursorignore excludes sensitive files",[13,272,273],{},"Admin SDK only used in API routes/server code",[13,275,276],{},"Rules tested with Firebase Emulator",[278,279,280,284],"stack-comparison",{},[31,281,283],{"id":282},"alternative-stack-configurations","Alternative Stack Configurations",[278,285,286,289],{},[13,287,288],{},"Cursor + Supabase + Vercel\nSwap Firebase for Supabase. Different security model with PostgreSQL RLS instead of Firestore rules.",[36,290,293],{"className":291,"code":292,"language":41},[39],"      Cursor + React + Firebase\n      Client-side focused React app without Vercel. Same Firebase security, different hosting considerations.\n\n\n      Bolt.new + Firebase\n      Swap Cursor for Bolt.new. Same Firebase/Vercel config, different AI code review approach.\n",[43,294,292],{"__ignoreMap":45},[296,297,298,305,311],"faq-section",{},[299,300,302],"faq-item",{"question":301},"Is the Firebase apiKey safe to expose?",[13,303,304],{},"Yes, the client-side Firebase config (including apiKey) is designed to be public. Security comes from your Firestore and Storage rules, not from hiding these keys. The apiKey just identifies your project.",[299,306,308],{"question":307},"How do I test Firestore rules before deploying?",[13,309,310],{},"Use the Firebase Emulator Suite locally, or the Rules Playground in the Firebase Console. Test with different auth states and document scenarios to verify rules work correctly.",[299,312,314],{"question":313},"When should I use the Admin SDK?",[13,315,316],{},"Use the Admin SDK in server-side code (Vercel API routes or server components) for operations that need to bypass security rules, like admin dashboards, background jobs, or operations that affect multiple users.",[318,319,320,326,331],"related-articles",{},[321,322],"related-card",{"description":323,"href":324,"title":325},"Alternative with Supabase","/blog/blueprints/cursor-supabase-vercel","Cursor + Supabase + Vercel",[321,327],{"description":328,"href":329,"title":330},"Deep dive into Firebase security","/blog/guides/firebase","Firebase Security Guide",[321,332],{"description":333,"href":334,"title":335},"Firebase with Bolt.new","/blog/blueprints/bolt-firebase","Bolt.new + Firebase",[337,338,341,345],"cta-box",{"href":339,"label":340},"/","Start Free Scan",[47,342,344],{"id":343},"using-firebase-with-cursor","Using Firebase with Cursor?",[13,346,347],{},"Scan your app for security rule issues and misconfigurations.",{"title":45,"searchDepth":349,"depth":349,"links":350},2,[351,353,354,359,363,366],{"id":33,"depth":352,"text":34},3,{"id":49,"depth":349,"text":50},{"id":112,"depth":349,"text":113,"children":355},[356,357,358],{"id":116,"depth":352,"text":117},{"id":133,"depth":352,"text":134},{"id":158,"depth":352,"text":159},{"id":174,"depth":349,"text":175,"children":360},[361,362],{"id":178,"depth":352,"text":179},{"id":230,"depth":352,"text":231},{"id":243,"depth":349,"text":244,"children":364},[365],{"id":282,"depth":352,"text":283},{"id":343,"depth":349,"text":344},"blueprints","2026-01-30","Complete security guide for the Cursor + Firebase + Vercel stack. Configure Firestore rules, protect Firebase credentials, and deploy securely to Vercel.",false,"md",null,"purple",{},true,"Security configuration for Cursor projects using Firebase and Vercel.","/blog/blueprints/cursor-firebase-vercel","11 min read","[object Object]","Article",{"title":5,"description":369},{"loc":377},"blog/blueprints/cursor-firebase-vercel",[],"summary_large_image","zXPfdtjFp7xqDHJflmSnnUUaLEDBEIMt3ibiOcotqxI",1775843932764]