Firebase Security Rules
plat_ios
plat_android
plat_web
plat_flutter
plat_node
Use our flexible, extensible Firebase Security Rules to
secure your data in Cloud Firestore, Firebase Realtime Database, and
Cloud Storage.
Firebase Security Rules stand between your data and malicious users. You can write simple or
complex rules that protect your app's data to the level of granularity that
your specific app requires.
Firebase Security Rules leverage
extensible, flexible configuration languages to define what data your users
can access for Realtime Database, Cloud Firestore, and Cloud Storage.
Firebase Realtime Database Security Rules leverage JSON in rule definitions, while
Cloud Firestore Security Rules and Firebase Security Rules for Cloud Storage leverage a unique
language built to accommodate more complex rules-specific structures.
Learn more about how to set up Rules for the specific Firebase products
you use in your app, and how Rules behavior differs across Firebase
products.
Key capabilities
Flexibility
|
Write custom rules that make sense for your app's structure and behavior.
Rules use languages that allow you to leverage your own data
to authorize access.
|
Granularity
|
Your rules can be as broad or as narrow as you need.
|
Independent security
|
Because Rules are defined outside of your app (in the Firebase console or
Firebase CLI), clients
aren't responsible for enforcing security, bugs don't compromise data, and
your data is always protected.
|
How do they work?
Firebase Security Rules work by matching a pattern against database paths, and then applying
custom conditions to allow access to data at those paths. All Rules
across Firebase products have a path-matching component and a conditional
statement allowing read or write access. You must define Rules for
each Firebase product you use in your app.
For Cloud Firestore and Cloud Storage, Rules use the following
syntax:
service <<name>> {
// Match the resource path.
match <<path>> {
// Allow the request if the following conditions are true.
allow <<methods>> : if <<condition>>
}
}
For Realtime Database, JSON-based Rules use the following syntax:
{
"rules": {
"<<path>>": {
// Allow the request if the condition for each method is true.
".read": <<condition>>,
".write": <<condition>>
}
}
}
Rules are applied as
OR
statements, not
AND
statements.
Consequently, if multiple rules match a path, and any of the matched
conditions grants access, Rules grant access to the data at that
path. Therefore, if a broad rule grants access to data, you can't restrict with
a more specific rule. You can, however, avoid this problem by making sure your
Rules don't overlap too much. Firebase Security Rules flag overlaps in your
matched paths as compiler warnings.
Firebase Security Rules can also leverage Authentication to grant user-based permissions, and the
conditions you set can be very basic or incredibly complex. Learn more
about Rules
language
and
behavior
before you start writing Rules.
Implementation path
|
Integrate the product SDKs
|
Set up
Cloud Firestore
,
Cloud Storage
, or
Realtime Database
for your
app.
|
|
Write your Firebase Security Rules
|
Learn more about
how Rules work
and
set up some basic Rules
|
|
Test your Firebase Security Rules
|
Use the Realtime Database and Cloud Firestore emulators to test your app's
behavior and validate your rules before you deploy them to production.
|
|
Deploy your Firebase Security Rules
|
Use the Firebase console or the Firebase CLI to deploy your rules
to production.
|
Next steps