[{"data":1,"prerenderedAt":179},["ShallowReactive",2],{"blog-blueprints/nextjs-firebase":3},{"id":4,"title":5,"body":6,"category":159,"date":160,"dateModified":160,"description":161,"draft":162,"extension":163,"faq":164,"featured":162,"headerVariant":165,"image":164,"keywords":164,"meta":166,"navigation":167,"ogDescription":168,"ogTitle":164,"path":169,"readTime":170,"schemaOrg":171,"schemaType":172,"seo":173,"sitemap":174,"stem":175,"tags":176,"twitterCard":177,"__hash__":178},"blog/blog/blueprints/nextjs-firebase.md","Next.js + Firebase Security Blueprint",{"type":7,"value":8,"toc":149},"minimark",[9,20,23,29,34,49,53,62,66,71,74,77,80,83,86,100,137],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure a Next.js + Firebase stack,"," you need to: (1) replace default test-mode Firestore rules with production security rules, (2) use the client SDK in Client Components and Admin SDK only in API routes/Server Actions, (3) configure Storage rules for file uploads, (4) store service account credentials in environment variables (server-side only), and (5) configure authorized domains in Firebase Console. This blueprint covers Firestore rules and proper SDK separation.",[21,22],"blueprint-meta",{},[24,25,26],"tldr",{},[13,27,28],{},"Next.js with Firebase requires proper security rules and careful separation of client vs admin SDK usage. Key tasks: configure Firestore rules, use client SDK in Client Components, use Admin SDK only in API routes/Server Actions, and store service account credentials server-side only.",[30,31,33],"h2",{"id":32},"firestore-security-rules-firebase","Firestore Security Rules Firebase",[35,36,38],"code-block",{"label":37},"firestore.rules",[39,40,45],"pre",{"className":41,"code":43,"language":44},[42],"language-text","rules_version = '2';\nservice cloud.firestore {\n  match /databases/{database}/documents {\n    match /users/{userId} {\n      allow read, update: if request.auth != null\n        && request.auth.uid == userId;\n    }\n    match /posts/{postId} {\n      allow read: if true;\n      allow create: if request.auth != null;\n      allow update, delete: if request.auth != null\n        && resource.data.authorId == request.auth.uid;\n    }\n  }\n}\n","text",[46,47,43],"code",{"__ignoreMap":48},"",[30,50,52],{"id":51},"admin-sdk-server-side-only-nextjs","Admin SDK (Server-Side Only) Next.js",[35,54,56],{"label":55},"lib/firebase-admin.ts",[39,57,60],{"className":58,"code":59,"language":44},[42],"import { initializeApp, getApps, cert } from 'firebase-admin/app';\n\nconst serviceAccount = JSON.parse(\n  process.env.FIREBASE_SERVICE_ACCOUNT_KEY || '{}'\n);\n\nif (!getApps().length) {\n  initializeApp({ credential: cert(serviceAccount) });\n}\n\n// Use in API routes only, never in Client Components\n",[46,61,59],{"__ignoreMap":48},[30,63,65],{"id":64},"security-checklist","Security Checklist",[67,68,70],"h4",{"id":69},"pre-launch-checklist","Pre-Launch Checklist",[13,72,73],{},"Firestore rules updated from test mode",[13,75,76],{},"Storage rules configured",[13,78,79],{},"Admin SDK only in server code",[13,81,82],{},"Service account key in env vars",[13,84,85],{},"Auth domains configured",[87,88,89,95],"related-articles",{},[90,91],"related-card",{"description":92,"href":93,"title":94},"With AI tooling","/blog/blueprints/cursor-firebase-vercel","Cursor + Firebase + Vercel",[90,96],{"description":97,"href":98,"title":99},"Deep dive","/blog/guides/firebase","Firebase Security Guide",[101,102,103,108,111],"stack-comparison",{},[104,105,107],"h3",{"id":106},"alternative-stacks","Alternative Stacks",[13,109,110],{},"Consider these related blueprints:",[112,113,114,123,130],"ul",{},[115,116,117,122],"li",{},[118,119,121],"a",{"href":120},"/blog/blueprints/nextjs-supabase-vercel","Next.js + Supabase + Vercel"," - For PostgreSQL with RLS",[115,124,125,129],{},[118,126,128],{"href":127},"/blog/blueprints/react-firebase","React + Firebase"," - Client-only SPA version",[115,131,132,136],{},[118,133,135],{"href":134},"/blog/blueprints/vue-firebase","Vue + Firebase"," - Vue alternative",[138,139,142,146],"cta-box",{"href":140,"label":141},"/","Start Free Scan",[30,143,145],{"id":144},"building-with-this-stack","Building with this stack?",[13,147,148],{},"Scan for rule issues and SDK misuse.",{"title":48,"searchDepth":150,"depth":150,"links":151},2,[152,153,154,158],{"id":32,"depth":150,"text":33},{"id":51,"depth":150,"text":52},{"id":64,"depth":150,"text":65,"children":155},[156],{"id":106,"depth":157,"text":107},3,{"id":144,"depth":150,"text":145},"blueprints","2026-02-09","Security guide for Next.js + Firebase stack. Configure Firestore rules, use Firebase Admin SDK safely, handle authentication, and secure your deployment.",false,"md",null,"purple",{"noindex":167},true,"Complete security configuration for Next.js apps with Firebase.","/blog/blueprints/nextjs-firebase","10 min read","[object Object]","Article",{"title":5,"description":161},{"loc":169},"blog/blueprints/nextjs-firebase",[],"summary_large_image","wjRRgzO0oNfF9MS8U_JyruoO3mW1kL5Oav9J2xDNkyI",1775843932141]