How to secure your Firebase security rules
The #1 cause of Firebase data leaks is rules left in test mode ('allow read, write: if true'), which makes your entire database public. Secure rules restrict every read and write to authenticated, authorized users.
Step by step
- 1
Get out of test mode
Replace 'allow read, write: if true' with rules that require authentication. A locked default is 'allow read, write: if false', then open paths deliberately.
- 2
Require auth and ownership
Gate access on request.auth != null and match the document owner, e.g. allow read, write: if request.auth.uid == resource.data.ownerId.
- 3
Validate writes
Use rules to validate shape and stop users writing fields they shouldn't (roles, balances). Cover Firestore, Realtime Database and Storage separately.
- 4
Test in the rules playground
Use the Firebase rules simulator to confirm anonymous access is denied and users can only reach their own data before you publish.
Want it verified, not just fixed?
Fixing it is step one. A ClearedToShip review confirms the fix actually holds and gives you a signed, insured clearance to launch. Join early access: