[{"data":1,"prerenderedAt":207},["ShallowReactive",2],{"blog-blueprints/lovable-firebase":3},{"id":4,"title":5,"body":6,"category":187,"date":188,"dateModified":188,"description":189,"draft":190,"extension":191,"faq":192,"featured":190,"headerVariant":193,"image":192,"keywords":192,"meta":194,"navigation":195,"ogDescription":196,"ogTitle":192,"path":197,"readTime":198,"schemaOrg":199,"schemaType":200,"seo":201,"sitemap":202,"stem":203,"tags":204,"twitterCard":205,"__hash__":206},"blog/blog/blueprints/lovable-firebase.md","Lovable + Firebase Security Blueprint",{"type":7,"value":8,"toc":178},"minimark",[9,20,24,30,35,50,54,63,67,70,83,87,92,95,98,101,104,107,110,120,154,166],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure a Lovable + Firebase stack,"," you need to: (1) replace test-mode Firestore rules with production-ready rules, (2) configure Storage rules for file uploads, (3) add your production domain to Firebase Auth settings, and (4) test all rules with the Firebase Emulator. This blueprint covers Firestore, Storage, and Auth security configuration.",[21,22],"blueprint-meta",{"time":23},"1-2 hours",[25,26,27],"tldr",{},[13,28,29],{},"Lovable generates Firebase apps that may use test-mode security rules. Before deployment: replace permissive Firestore rules with production-ready rules, configure Firebase Auth domains, and verify Storage rules if using file uploads. Test rules with the Firebase Emulator before going live.",[31,32,34],"h2",{"id":33},"part-1-firebase-firestore-security-rules","Part 1: Firebase Firestore Security Rules",[36,37,39],"code-block",{"label":38},"Replace test mode rules",[40,41,46],"pre",{"className":42,"code":44,"language":45},[43],"language-text","rules_version = '2';\nservice cloud.firestore {\n match /databases/{database}/documents {\n // User documents\n match /users/{userId} {\n allow read, update, delete: if request.auth != null\n && request.auth.uid == userId;\n allow create: if request.auth != null;\n }\n\n // User content\n match /posts/{postId} {\n allow read: if true;\n allow create: if request.auth != null\n && request.resource.data.authorId == request.auth.uid;\n allow update, delete: if request.auth != null\n && resource.data.authorId == request.auth.uid;\n }\n\n // Private user data\n match /private/{userId}/{document=**} {\n allow read, write: if request.auth != null\n && request.auth.uid == userId;\n }\n }\n}\n","text",[47,48,44],"code",{"__ignoreMap":49},"",[31,51,53],{"id":52},"part-2-firebase-storage-rules","Part 2: Firebase Storage Rules",[36,55,57],{"label":56},"storage.rules",[40,58,61],{"className":59,"code":60,"language":45},[43],"rules_version = '2';\nservice firebase.storage {\n match /b/{bucket}/o {\n match /users/{userId}/{allPaths=**} {\n allow read: if request.auth != null;\n allow write: if request.auth != null\n && request.auth.uid == userId\n && request.resource.size \u003C 5 * 1024 * 1024;\n }\n }\n}\n",[47,62,60],{"__ignoreMap":49},[31,64,66],{"id":65},"part-3-firebase-auth-configuration","Part 3: Firebase Auth Configuration",[13,68,69],{},"In Firebase Console → Authentication → Settings:",[71,72,73,77,80],"ul",{},[74,75,76],"li",{},"Add your production domain to authorized domains",[74,78,79],{},"Configure OAuth redirect URIs",[74,81,82],{},"Review sign-in methods enabled",[31,84,86],{"id":85},"security-checklist","Security Checklist",[88,89,91],"h4",{"id":90},"pre-launch-checklist-for-lovable-firebase","Pre-Launch Checklist for Lovable + Firebase",[13,93,94],{},"Firestore rules updated from test mode",[13,96,97],{},"Storage rules configured",[13,99,100],{},"Auth domains include production URL",[13,102,103],{},"Auth state properly handled in app",[13,105,106],{},"No service account keys in client code",[13,108,109],{},"Rules tested with Firebase Emulator",[111,112,113],"faq-section",{},[114,115,117],"faq-item",{"question":116},"Is the Firebase apiKey safe to expose?",[13,118,119],{},"Yes, the client-side Firebase config is designed for public use. Your security comes from Firestore and Storage rules, not from hiding these values.",[121,122,123,127,130],"stack-comparison",{},[31,124,126],{"id":125},"alternative-stack-options","Alternative Stack Options",[13,128,129],{},"Consider these related blueprints for different stack combinations:",[71,131,132,140,147],{},[74,133,134,139],{},[135,136,138],"a",{"href":137},"/blog/blueprints/lovable-supabase","Lovable + Supabase"," - Alternative backend with PostgreSQL",[74,141,142,146],{},[135,143,145],{"href":144},"/blog/blueprints/bolt-firebase","Bolt + Firebase"," - Same backend, different AI tool",[74,148,149,153],{},[135,150,152],{"href":151},"/blog/blueprints/lovable-vercel","Lovable + Vercel"," - Deployment platform guide",[155,156,157,161],"related-articles",{},[158,159],"related-card",{"description":160,"href":144,"title":145},"Similar stack with Bolt",[158,162],{"description":163,"href":164,"title":165},"Deep dive into Firebase","/blog/guides/firebase","Firebase Security Guide",[167,168,171,175],"cta-box",{"href":169,"label":170},"/","Start Free Scan",[31,172,174],{"id":173},"built-with-lovable-firebase","Built with Lovable + Firebase?",[13,176,177],{},"Scan for insecure rules and auth issues.",{"title":49,"searchDepth":179,"depth":179,"links":180},2,[181,182,183,184,185,186],{"id":33,"depth":179,"text":34},{"id":52,"depth":179,"text":53},{"id":65,"depth":179,"text":66},{"id":85,"depth":179,"text":86},{"id":125,"depth":179,"text":126},{"id":173,"depth":179,"text":174},"blueprints","2026-02-05","Security guide for Lovable + Firebase stack. Configure Firestore rules, protect credentials, handle authentication, and secure your Lovable-generated Firebase app.",false,"md",null,"purple",{},true,"Complete security configuration for Firebase apps built with Lovable.","/blog/blueprints/lovable-firebase","10 min read","[object Object]","Article",{"title":5,"description":189},{"loc":197},"blog/blueprints/lovable-firebase",[],"summary_large_image","gHuQGK7aXZQ74ixcdggpnwLis6H55Pn6P4nSOD2-evw",1775843932243]