Firebase Security Rules provide robust, completely customizable protection for your data in Cloud Firestore, Realtime Database, and Cloud Storage. You can easily get started with Rules following the steps in this guide, securing your data and protecting your app from malicious users.
Understand the Firebase Security Rules language
Before you start writing rules, it's worthwhile to take some time to review the specific Firebase Security Rules language for the Firebase products you're using. Realtime Database leverages a JavaScript-like syntax and JSON structure for its Rules.
Start by learning the core syntax of the Firebase Security Rules language.
Set up Authentication
If you haven't done it already, add Firebase Authentication to your app. Firebase Authentication supports many common authentication methods and integrates with Firebase Security Rules to provide comprehensive verification capabilities.
You can set up additional, custom authentication information for your app.
Learn more about Firebase Security Rules and Firebase Authentication.
Define your data and rules structures
Define data for security
The way you structure your data might affect the way you structure and implement your rules. As you define your data structures, consider the implications they might have on your Rules structure.
For example, in Realtime Database, you might want to include a field that denotes a specific role for each user. Then, your rules can read that field and use it to grant role-based access.
As you define your data and rules architectures, keep in mind the way that rules cascade or don't cascade, depending on your product. With Realtime Database, rules work from top-down, with shallower rules overriding deeper rules. If a rule grants read or write permissions at a particular path, then it also grants access to all child nodes under it. In contrast, with Cloud Firestore and Cloud Storage, rules apply only at specified levels of the data hierarchy, and you write explicit rules to control access to different levels.
Access your rules
To view your existing Rules, use either the Firebase CLI or the Firebase console. Make sure you edit your rules using the same method, consistently, to avoid mistakenly overwriting updates. If you're not sure whether your locally defined rules reflect the most recent updates, the Firebase console always shows the most recently deployed version of your Firebase Security Rules.
To access your rules from the Firebase console, select your project, then in the left-hand navigation panel, click Realtime Database. Click Rules once you're in the correct database or storage bucket.
To access your rules from the Firebase CLI, go to the rules file noted in your firebase.json file.
Write basic rules
As you're developing your app and understanding Rules, try implementing Rules to address a few basic use cases, including the following:
- Content-owner only: Restrict access to content by user.
- Mixed access: Restrict write access by user, but allow public read access.
- Attribute-based access: Restrict access to a group or type of user.
Test your rules
If you're setting up your Firebase Security Rules in the Firebase console, you can use the Firebase Rules Playground to quickly validate behavior. However, we recommend more thorough testing with the Local Emulator Suite before you deploy your changes to production.
Deploy rules
Use the Firebase console or the Firebase CLI to deploy your rules to production. Follow the steps outlined in Manage and deploy Firebase Security Rules.