Firebase Backend Launch Security Checklist

TL;DR

Firebase security relies on Security Rules. Before launch, write and test rules for Firestore, Realtime Database, and Storage. Verify users can only access their own data, configure auth settings, and never leave rules in test mode (allow read, write: true).

Security Rules 5

::checklist-item{label="Remove test mode rules" description="Delete any "allow read, write: true" or "allow read, write: if true" rules"} ::

Write proper Firestore rulesUse request.auth.uid to restrict access to user's own documents

Test rules in Rules PlaygroundUse the Firebase console to test rules before deploying

Check Storage rulesStorage also needs rules. Verify file access is restricted.

Verify data isolationLog in as two users, verify neither can access the other's data

Authentication 4

Configure sign-in providersOnly enable auth methods you actually use

Set authorized domainsAdd your production domain to authorized domains list

Configure email templatesCustomize verification and password reset emails

Test email verification (if enabled)Verify unconfirmed users can't access protected features

API Keys and Configuration 4

Firebase config is safe for clientThe Firebase config (apiKey, etc.) is safe for browsers. Security comes from rules.

Protect Admin SDK credentialsService account JSON must never be in client code

Review App Check settingsConsider enabling App Check to prevent API abuse

Configure API key restrictionsIn Google Cloud Console, restrict API key to your domains

Cloud Functions (if using) 3

Add auth checks to functionsVerify context.auth exists before accessing protected data

Validate function inputsNever trust data passed to functions. Validate everything.

Run automated security scanCatch issues you may have missed

Is it safe to expose Firebase config in the browser?

Yes, the Firebase configuration (apiKey, projectId, etc.) is designed to be public. Security comes from your Security Rules, not from hiding the config. The apiKey just identifies your project.

What are test mode rules?

When you create a Firebase project in test mode, rules allow anyone to read/write all data. This is only for development. Before launch, you must write proper rules that restrict access.

Scan Your Firebase App

Find security issues before launch.