With Cloud Firestore Security Rules, you can focus on building a great user
experience without having to manage infrastructure or write server-side
authentication and authorization code.
Security rules provide access control and data validation in a simple yet
expressive format. To build user-based and role-based access systems that keep your
users' data safe, you need to use
Firebase
Authentication
with Cloud Firestore Security Rules.
Security rules version 2
As of May 2019, version 2 of the Cloud Firestore security rules is now
available. Version 2 of the rules changes the behavior of
recursive
wildcards
{name=**}
. You must use version 2 if you plan to
use
collection group queries
. You must opt-in to
version 2 by making
rules_version = '2';
the first line in your security
rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
Writing rules
You will write and manage Cloud Firestore Security Rules tailored to the data model you
create for the default database and each additional database in your project.
All Cloud Firestore Security Rules consist of
match
statements, which identify documents in
your database, and
allow
expressions, which control access to those documents:
service cloud.firestore {
match /databases/{database}/documents {
match /<some_path>/ {
allow read, write: if <some_condition>;
}
}
}
Every database request from a Cloud Firestore mobile/web client library is evaluated against
your security rules before reading or writing any data. If the rules deny access
to any of the specified document paths, the entire request fails.
Below are some examples of basic rule sets. While these rules are valid, they
are not recommended for production applications:
Auth required
// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
Deny all
// Deny read/write access to all users under any conditions
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}
Allow all
// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
The
{document=**}
path used in the examples above matches any document in the
entire database. Continue on to the guide for
structuring security rules
to
learn how to match specific data paths and work with hierarchical data.
Testing rules
Cloud Firestore provides a rules simulator that you can use to test your
ruleset. You can access the simulator from the
Rules
tab
in
the Cloud Firestore section of the Firebase console.
The rules simulator lets you simulate authenticated and unauthenticated reads,
writes, and deletes. When you simulate an authenticated request, you can build
and preview authentication tokens from various providers. Simulated requests run
against the ruleset in your editor, not your currently deployed ruleset.
Deploying rules
Before you can start using Cloud Firestore from your mobile app, you will need
to deploy security rules. You can deploy rules in the Firebase console, using
the Firebase CLI, or with the Cloud Firestore management REST API.
Updates to Cloud Firestore Security Rules can take up to a minute to affect new queries and
listeners. However, it can take up to 10 minutes to fully propagate the changes
and affect any active listeners.
Use the Firebase console
To set up and deploy your first set of rules, for the default database in your
project, open the
Rules
tab
in the Cloud Firestore
section of the Firebase console.
Write your rules in the online editor, then click
Publish
.
Use the Firebase CLI
You can also deploy rules using the
Firebase
CLI
. Using the CLI allows you to keep
your rules under version control with your application code and deploy rules as
part of your existing deployment process.
// Set up Firestore in your project directory, creates a .rules file
firebase init firestore
// Edit the generated .rules file to your desired security rules
// ...
// Deploy rules for all configured databases
firebase deploy --only firestore
Enhance security for Cloud Storage
Your apps will benefit from the robust database features of Cloud Firestore
and the file storage and management features of Cloud Storage. Used
together, these products also provide reinforcing app security, since
Cloud Firestore can capture authorization requirements usable by Firebase Security Rules
for both products. For more, see the
guide for Cloud Storage
.
Next steps