Firebasecloud~5 mins

Realtime Database security rules in Firebase - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Realtime Database security rules control who can read or write data in your Firebase database. They protect your data from unauthorized access and keep it safe.

When you want only logged-in users to read and write their own data.

When you need to prevent anyone from deleting important data accidentally.

When you want to allow public read access but restrict write access to admins.

When you want to validate data format before saving it to the database.

When you want to limit how much data a user can write to avoid abuse.

Config File - database.rules.json

database.rules.json

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null",
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

This file sets the security rules for your Firebase Realtime Database.

.read and .write at the root level allow only authenticated users to read and write anywhere.
The users node has a variable $uid representing each user ID.
Inside users/$uid, only the user with matching auth.uid can read or write their own data.

Commands

This command uploads and activates your Realtime Database security rules to Firebase. It makes your rules live to protect your data.

Terminal

firebase deploy --only database

Expected OutputExpected

=== Deploying to 'your-project-id'... i deploying database i database: checking rules syntax... ✔ database: rules syntax for database Realtime Database is valid ✔ Deploy complete! Project Console: https://console.firebase.google.com/project/your-project-id/overview

→

--only - Deploy only the database rules without affecting other Firebase services

This command fetches data at the path /users/user123 to verify if the authenticated user can read their own data according to the rules.

Terminal

firebase database:get /users/user123

Expected OutputExpected

{ "name": "Alice", "email": "alice@example.com" }

This command updates the data for user123 to test if the write rule allows the authenticated user to change their own data.

Terminal

firebase database:set /users/user123 '{"name":"Alice Updated"}'

Expected OutputExpected

null

Key Concept

If you remember nothing else from this pattern, remember: security rules control who can read or write each part of your database based on user identity.

Common Mistakes

Setting .read and .write to true for everyone

This makes your database open to anyone, risking data leaks and unauthorized changes.

Always require authentication by using auth != null and restrict access to specific users or roles.

Not using variables like $uid to match user IDs

Without variables, you cannot restrict users to only their own data, allowing them to access others' data.

Use path variables like $uid and compare them to auth.uid to enforce user-specific access.

Deploying rules without testing them

Incorrect rules can lock out all users or leave data unprotected.

Test rules locally or with Firebase Emulator before deploying, and verify with read/write commands.

Summary

Write security rules in a JSON file to control database access.

Deploy rules using the firebase CLI to make them active.

Test read and write permissions with firebase database commands.