[{"data":1,"prerenderedAt":185},["ShallowReactive",2],{"blog-launch/firebase-backend":3},{"id":4,"title":5,"body":6,"category":164,"date":165,"dateModified":166,"description":167,"draft":168,"extension":169,"faq":170,"featured":168,"headerVariant":171,"image":170,"keywords":170,"meta":172,"navigation":173,"ogDescription":174,"ogTitle":175,"path":176,"readTime":170,"schemaOrg":177,"schemaType":178,"seo":179,"sitemap":180,"stem":181,"tags":182,"twitterCard":183,"__hash__":184},"blog/blog/launch/firebase-backend.md","Firebase Backend Launch Security Checklist: 16 Items Before Going Live",{"type":7,"value":8,"toc":158},"minimark",[9,19,22,47,67,86,102,118,123,126,129],[10,11,12,16],"tldr",{},[13,14,15],"p",{},"TL;DR",[13,17,18],{},"Firebase security relies on Security Rules. Before launch, write and test rules for Firestore, Realtime Database, and Storage. Verify users can only access their own data, configure auth settings, and never leave rules in test mode (allow read, write: true).",[20,21],"print-button",{},[23,24,27,30,35,39,43],"checklist-section",{"count":25,"title":26},"5","Security Rules",[13,28,29],{},"::checklist-item{label=\"Remove test mode rules\" description=\"Delete any \"allow read, write: true\" or \"allow read, write: if true\" rules\"}\n::",[31,32],"checklist-item",{"description":33,"label":34},"Use request.auth.uid to restrict access to user's own documents","Write proper Firestore rules",[31,36],{"description":37,"label":38},"Use the Firebase console to test rules before deploying","Test rules in Rules Playground",[31,40],{"description":41,"label":42},"Storage also needs rules. Verify file access is restricted.","Check Storage rules",[31,44],{"description":45,"label":46},"Log in as two users, verify neither can access the other's data","Verify data isolation",[23,48,51,55,59,63],{"count":49,"title":50},"4","Authentication",[31,52],{"description":53,"label":54},"Only enable auth methods you actually use","Configure sign-in providers",[31,56],{"description":57,"label":58},"Add your production domain to authorized domains list","Set authorized domains",[31,60],{"description":61,"label":62},"Customize verification and password reset emails","Configure email templates",[31,64],{"description":65,"label":66},"Verify unconfirmed users can't access protected features","Test email verification (if enabled)",[23,68,70,74,78,82],{"count":49,"title":69},"API Keys and Configuration",[31,71],{"description":72,"label":73},"The Firebase config (apiKey, etc.) is safe for browsers. Security comes from rules.","Firebase config is safe for client",[31,75],{"description":76,"label":77},"Service account JSON must never be in client code","Protect Admin SDK credentials",[31,79],{"description":80,"label":81},"Consider enabling App Check to prevent API abuse","Review App Check settings",[31,83],{"description":84,"label":85},"In Google Cloud Console, restrict API key to your domains","Configure API key restrictions",[23,87,90,94,98],{"count":88,"title":89},"3","Cloud Functions (if using)",[31,91],{"description":92,"label":93},"Verify context.auth exists before accessing protected data","Add auth checks to functions",[31,95],{"description":96,"label":97},"Never trust data passed to functions. Validate everything.","Validate function inputs",[31,99],{"description":100,"label":101},"Catch issues you may have missed","Run automated security scan",[103,104,105,112],"faq-section",{},[106,107,109],"faq-item",{"question":108},"Is it safe to expose Firebase config in the browser?",[13,110,111],{},"Yes, the Firebase configuration (apiKey, projectId, etc.) is designed to be public. Security comes from your Security Rules, not from hiding the config. The apiKey just identifies your project.",[106,113,115],{"question":114},"What are test mode rules?",[13,116,117],{},"When you create a Firebase project in test mode, rules allow anyone to read/write all data. This is only for development. Before launch, you must write proper rules that restrict access.",[119,120,122],"h3",{"id":121},"scan-your-firebase-app","Scan Your Firebase App",[13,124,125],{},"Find security issues before launch.",[13,127,128],{},"Start Free Scan",[130,131,132,138,143,148,153],"related-articles",{},[133,134],"related-card",{"description":135,"href":136,"title":137},"Security checklist for Product Hunt launches. 12 essential items to verify before your launch day to handle traffic spik","/blog/launch/product-hunt","Product Hunt Launch Security Checklist: 12 Items Before Launch Day",[133,139],{"description":140,"href":141,"title":142},"Security checklist for public product launches. 16 essential items to verify before opening your product to the world, f","/blog/launch/public-launch","Public Launch Security Checklist: 16 Items Before Going Live",[133,144],{"description":145,"href":146,"title":147},"Pre-launch security checklist for Python APIs (FastAPI, Flask, Django). 16 essential items covering authentication, inpu","/blog/launch/python-api","Python API Launch Security Checklist: 16 Items Before Going Live",[133,149],{"description":150,"href":151,"title":152},"Security checklist for public API launches. 16 essential items to verify before opening your API to external developers,","/blog/launch/api-public-launch","API Public Launch Security Checklist: 16 Items Before Opening Your API",[133,154],{"description":155,"href":156,"title":157},"Security checklist for beta launches. 14 essential items to verify before inviting your first beta users, including data","/blog/launch/beta-launch","Beta Launch Security Checklist: 14 Items Before Inviting Beta Users",{"title":159,"searchDepth":160,"depth":160,"links":161},"",2,[162],{"id":121,"depth":163,"text":122},3,"launch","2026-02-06","2026-02-13","Pre-launch security checklist for Firebase backends. 16 essential items covering security rules, authentication, API keys, and production configuration.",false,"md",null,"orange",{},true,"Pre-launch security checklist for Firebase. 16 essential items before deploying.","Firebase Backend Launch Security Checklist","/blog/launch/firebase-backend","[object Object]","Article",{"title":5,"description":167},{"loc":176},"blog/launch/firebase-backend",[],"summary_large_image","4kUuG3u2iDEhTHAPy2otJMwBTAwGdPW-iwcNM1I6bZQ",1775843935994]