Firebase Security Checklist: 20-Item Guide for Firestore, Auth & Storage

TL;DR

Never deploy with "allow read, write: if true" rules. Write specific security rules for each collection. Use request.auth to verify authentication. Validate data structure in rules. Keep admin SDK server-side only. This 20-item checklist covers all essentials. 6 critical items must be fixed before launch, 8 important items within the first week, and 6 recommended items when you can.

Quick Checklist (5 Critical Items)

No open rules (allow read, write: if true)This allows anyone to read and modify all data

Authentication required for user dataUse request.auth != null in rules

Users can only access their own dataCheck request.auth.uid == resource.data.userId

Service account keys not in client codeAdmin SDK should only be used server-side

Callable functions verify authenticationCheck context.auth in Cloud Functions

Firestore Security Rules 5

No open rules (allow read, write: if true)This allows anyone to read and modify all data. How to write secure Firebase rules

Authentication required for user dataUse request.auth != null in rules. How to require authentication

Users can only access their own dataCheck request.auth.uid == resource.data.userId. How to implement ownership rules

Data validation in rulesValidate field types, lengths, and required fields. How to validate data in rules

::checklist-item{label="Separate read/write permissions" description="Don't use "allow read, write" - specify each operation. How to set granular permissions"} ::

Storage Security Rules 4

No public write accessDon't allow unauthenticated uploads. How to secure Firebase Storage

Users can only access their own filesPath should include user ID: /users/{uid}/files/... How to structure storage paths

File type validationCheck request.resource.contentType in rules. How to validate file types

File size limitsCheck request.resource.size in rules. How to set size limits

Authentication 4

Email enumeration protection enabledEnable in Firebase Console > Authentication > Settings. How to prevent email enumeration

Authorized domains configuredOnly your domains should be in the authorized list. How to configure authorized domains

Password requirements setConfigure minimum password strength. How to set password requirements

Unused sign-in methods disabledOnly enable auth methods you actually use. How to manage auth methods

Cloud Functions 4

Callable functions verify authenticationCheck context.auth in Cloud Functions. How to verify auth in functions

HTTP functions validate tokensVerify ID tokens for HTTP-triggered functions. How to validate ID tokens

Input validation in functionsValidate all data passed to functions. How to validate on server

CORS configured properlyRestrict origins for HTTP functions. How to configure CORS

Admin SDK & Service Accounts 3

Service account keys not in client codeAdmin SDK should only be used server-side. How to protect Admin SDK

Service account keys not in gitAdd service account JSON files to .gitignore. How to secure service accounts

Minimal service account permissionsDon't use owner role when viewer/editor is sufficient. How to configure IAM roles

How to Use This Checklist

Go through each item before deploying your Firebase project. If you find an issue, fix it before moving on. In Firebase Console, go to Firestore/Storage and look for the yellow warning banner about insecure rules. If you see it, your database is open to the public.

Why are open Firebase rules dangerous?

Open rules (allow read, write: if true) let anyone read and modify all your data without authentication. Attackers can steal, delete, or corrupt your entire database. Always use specific rules that check authentication and authorization.

How do I check if my Firebase rules are secure?

In Firebase Console, check Firestore and Storage for yellow warning banners about insecure rules. Use the Rules Playground to test access scenarios. Deploy rules to the Emulator and write tests for both allowed and denied access.

Can I use the Admin SDK in the browser?

Never use the Admin SDK in browser code. It bypasses all security rules and has full access to your project. Use it only in server-side code like Cloud Functions, your own backend, or build scripts.