Firebasecloud~5 mins

Storage security rules in Firebase - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Storage security rules control who can read or write files in your Firebase storage. They protect your files from unauthorized access and keep your data safe.

When you want only logged-in users to upload profile pictures.

When you want to allow public read access but restrict who can upload files.

When you want to prevent users from deleting or modifying files they do not own.

When you want to limit file uploads to certain file types or sizes.

When you want to secure sensitive documents so only specific users can access them.

Config File - storage.rules

storage.rules

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /user_uploads/{userId}/{allPaths=**} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
    match /public/{allPaths=**} {
      allow read;
      allow write: if false;
    }
  }
}

This file defines Firebase Storage security rules.

rules_version specifies the version of the rules syntax.

The service firebase.storage block applies rules to your storage buckets.

The first match block allows users to read and write only their own files inside user_uploads/{userId} folders if they are logged in and their user ID matches the folder name.

The second match block allows anyone to read files in the public folder but denies all writes.

Commands

This command uploads and activates your storage security rules to Firebase. It ensures your rules are enforced immediately.

Terminal

firebase deploy --only storage

Expected OutputExpected

=== Deploying to 'your-project-id'... i deploying storage ✔ storage: rules storage.rules ✔ Deploy complete! Project Console: https://console.firebase.google.com/project/your-project-id/overview

→

--only - Deploy only the specified Firebase feature, here storage rules.

This command downloads the currently active storage rules to a file named current.rules for review or backup.

Terminal

firebase storage:rules:get > current.rules

Expected OutputExpected

Rules downloaded to current.rules

This command tests if a user with ID abc123 can read the file photo.jpg in their user_uploads folder. It helps verify your rules work as expected.

Terminal

firebase storage:rules:test --path /user_uploads/abc123/photo.jpg --operation read --auth abc123

Expected OutputExpected

Test result: ALLOWED

→

--path - Specifies the file path to test.

→

--operation - Specifies the operation to test, like read or write.

→

--auth - Simulates the user ID for the test.

Key Concept

If you remember nothing else from this pattern, remember: storage security rules protect your files by controlling who can read or write based on user identity and file location.

Common Mistakes

Allowing write access to everyone by using 'allow write: if true;'

This lets anyone upload or delete files, risking data loss or abuse.

Restrict write access to authenticated users or specific user IDs only.

Not matching the user ID in the path with the authenticated user ID.

Users could access or modify other users' files, breaking privacy.

Use 'request.auth.uid == userId' in the rule to ensure users access only their own files.

Forgetting to deploy the updated rules after editing the file.

Changes won't take effect until deployed, leaving old rules active.

Run 'firebase deploy --only storage' after any rule changes.

Summary

Write storage security rules in the storage.rules file to control file access.

Deploy rules using 'firebase deploy --only storage' to activate them.

Test rules with 'firebase storage:rules:test' to ensure correct permissions.