[{"data":1,"prerenderedAt":229},["ShallowReactive",2],{"blog-checklists/firebase-security-checklist":3},{"id":4,"title":5,"body":6,"category":206,"date":207,"dateModified":207,"description":208,"draft":209,"extension":210,"faq":211,"featured":209,"headerVariant":214,"image":215,"keywords":215,"meta":216,"navigation":217,"ogDescription":218,"ogTitle":215,"path":219,"readTime":215,"schemaOrg":220,"schemaType":221,"seo":222,"sitemap":223,"stem":224,"tags":225,"twitterCard":227,"__hash__":228},"blog/blog/checklists/firebase-security-checklist.md","Firebase Security Checklist: 20-Item Guide for Firestore, Auth & Storage",{"type":7,"value":8,"toc":200},"minimark",[9,16,19,22,47,67,87,106,124,139,144,147,169,188],[10,11,12],"tldr",{},[13,14,15],"p",{},"Never deploy with \"allow read, write: if true\" rules. Write specific security rules for each collection. Use request.auth to verify authentication. Validate data structure in rules. Keep admin SDK server-side only. This 20-item checklist covers all essentials. 6 critical items must be fixed before launch, 8 important items within the first week, and 6 recommended items when you can.",[13,17,18],{},"Firebase gives you a production backend in minutes, which is great -- until you realize those default security rules are basically an open invitation. The console even warns you with a yellow banner, but it is surprisingly easy to ignore and ship anyway. Go through this checklist and close the gaps before someone else finds them.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"This allows anyone to read and modify all data","No open rules (allow read, write: if true)",[27,32],{"description":33,"label":34},"Use request.auth != null in rules","Authentication required for user data",[27,36],{"description":37,"label":38},"Check request.auth.uid == resource.data.userId","Users can only access their own data",[27,40],{"description":41,"label":42},"Admin SDK should only be used server-side","Service account keys not in client code",[27,44],{"description":45,"label":46},"Check context.auth in Cloud Functions","Callable functions verify authentication",[23,48,51,54,57,60,64],{"title":49,"count":50},"Firestore Security Rules","5",[27,52],{"description":53,"label":30},"This allows anyone to read and modify all data. How to write secure Firebase rules",[27,55],{"description":56,"label":34},"Use request.auth != null in rules. How to require authentication",[27,58],{"description":59,"label":38},"Check request.auth.uid == resource.data.userId. How to implement ownership rules",[27,61],{"description":62,"label":63},"Validate field types, lengths, and required fields. How to validate data in rules","Data validation in rules",[13,65,66],{},"::checklist-item{label=\"Separate read/write permissions\" description=\"Don't use \"allow read, write\" - specify each operation. How to set granular permissions\"}\n::",[23,68,71,75,79,83],{"title":69,"count":70},"Storage Security Rules","4",[27,72],{"description":73,"label":74},"Don't allow unauthenticated uploads. How to secure Firebase Storage","No public write access",[27,76],{"description":77,"label":78},"Path should include user ID: /users/{uid}/files/... How to structure storage paths","Users can only access their own files",[27,80],{"description":81,"label":82},"Check request.resource.contentType in rules. How to validate file types","File type validation",[27,84],{"description":85,"label":86},"Check request.resource.size in rules. How to set size limits","File size limits",[23,88,90,94,98,102],{"title":89,"count":70},"Authentication",[27,91],{"description":92,"label":93},"Enable in Firebase Console > Authentication > Settings. How to prevent email enumeration","Email enumeration protection enabled",[27,95],{"description":96,"label":97},"Only your domains should be in the authorized list. How to configure authorized domains","Authorized domains configured",[27,99],{"description":100,"label":101},"Configure minimum password strength. How to set password requirements","Password requirements set",[27,103],{"description":104,"label":105},"Only enable auth methods you actually use. How to manage auth methods","Unused sign-in methods disabled",[23,107,109,112,116,120],{"title":108,"count":70},"Cloud Functions",[27,110],{"description":111,"label":46},"Check context.auth in Cloud Functions. How to verify auth in functions",[27,113],{"description":114,"label":115},"Verify ID tokens for HTTP-triggered functions. How to validate ID tokens","HTTP functions validate tokens",[27,117],{"description":118,"label":119},"Validate all data passed to functions. How to validate on server","Input validation in functions",[27,121],{"description":122,"label":123},"Restrict origins for HTTP functions. How to configure CORS","CORS configured properly",[23,125,128,131,135],{"title":126,"count":127},"Admin SDK & Service Accounts","3",[27,129],{"description":130,"label":42},"Admin SDK should only be used server-side. How to protect Admin SDK",[27,132],{"description":133,"label":134},"Add service account JSON files to .gitignore. How to secure service accounts","Service account keys not in git",[27,136],{"description":137,"label":138},"Don't use owner role when viewer/editor is sufficient. How to configure IAM roles","Minimal service account permissions",[140,141,143],"h2",{"id":142},"how-to-use-this-checklist","How to Use This Checklist",[13,145,146],{},"Go through each item before deploying your Firebase project. If you find an issue, fix it before moving on. In Firebase Console, go to Firestore/Storage and look for the yellow warning banner about insecure rules. If you see it, your database is open to the public.",[148,149,150,157,163],"faq-section",{},[151,152,154],"faq-item",{"question":153},"Why are open Firebase rules dangerous?",[13,155,156],{},"Open rules (allow read, write: if true) let anyone read and modify all your data without authentication. Attackers can steal, delete, or corrupt your entire database. Always use specific rules that check authentication and authorization.",[151,158,160],{"question":159},"How do I check if my Firebase rules are secure?",[13,161,162],{},"In Firebase Console, check Firestore and Storage for yellow warning banners about insecure rules. Use the Rules Playground to test access scenarios. Deploy rules to the Emulator and write tests for both allowed and denied access.",[151,164,166],{"question":165},"Can I use the Admin SDK in the browser?",[13,167,168],{},"Never use the Admin SDK in browser code. It bypasses all security rules and has full access to your project. Use it only in server-side code like Cloud Functions, your own backend, or build scripts.",[170,171,172,178,183],"related-articles",{},[173,174],"related-card",{"description":175,"href":176,"title":177},"Complete guide to Firebase security","/blog/guides/firebase","Firebase Security Guide",[173,179],{"description":180,"href":181,"title":182},"Step-by-step rules tutorial","/blog/how-to/firebase-security-rules","How to Write Firebase Rules",[173,184],{"description":185,"href":186,"title":187},"Secure your auth implementation","/blog/checklists/authentication-security-checklist","Authentication Checklist",[189,190,193,197],"cta-box",{"href":191,"label":192},"/","Start Free Scan",[140,194,196],{"id":195},"scan-your-firebase-project","Scan Your Firebase Project",[13,198,199],{},"Our scanner checks for open rules and common Firebase security issues.",{"title":201,"searchDepth":202,"depth":202,"links":203},"",2,[204,205],{"id":142,"depth":202,"text":143},{"id":195,"depth":202,"text":196},"checklists","2026-01-27","Complete 20-item Firebase security checklist. Security rules for Firestore, Storage buckets, Authentication configuration, and Cloud Functions security.",false,"md",[212,213],{"question":153,"answer":156},{"question":159,"answer":162},"green",null,{},true,"Complete Firebase security checklist. Rules, auth, storage security.","/blog/checklists/firebase-security-checklist","[object Object]","HowTo",{"title":5,"description":208},{"loc":219},"blog/checklists/firebase-security-checklist",[226],"Security Checklist","summary_large_image","fuc98DAUa6rpPI5HVLXSyzKcZ7O7MuNE2vVoyiwc5Mg",1775843931547]