Lovable + Firebase Security Blueprint

To secure a Lovable + Firebase stack, you need to: (1) replace test-mode Firestore rules with production-ready rules, (2) configure Storage rules for file uploads, (3) add your production domain to Firebase Auth settings, and (4) test all rules with the Firebase Emulator. This blueprint covers Firestore, Storage, and Auth security configuration.

Setup Time1-2 hours

TL;DR

Lovable generates Firebase apps that may use test-mode security rules. Before deployment: replace permissive Firestore rules with production-ready rules, configure Firebase Auth domains, and verify Storage rules if using file uploads. Test rules with the Firebase Emulator before going live.

Part 1: Firebase Firestore Security Rules

Replace test mode rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // User documents
    match /users/{userId} {
      allow read, update, delete: if request.auth != null
        && request.auth.uid == userId;
      allow create: if request.auth != null;
    }

    // User content
    match /posts/{postId} {
      allow read: if true;
      allow create: if request.auth != null
        && request.resource.data.authorId == request.auth.uid;
      allow update, delete: if request.auth != null
        && resource.data.authorId == request.auth.uid;
    }

    // Private user data
    match /private/{userId}/{document=**} {
      allow read, write: if request.auth != null
        && request.auth.uid == userId;
    }
  }
}

Part 2: Firebase Storage Rules

storage.rules

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /users/{userId}/{allPaths=**} {
      allow read: if request.auth != null;
      allow write: if request.auth != null
        && request.auth.uid == userId
        && request.resource.size < 5 * 1024 * 1024;
    }
  }
}