Firebasecloud~5 mins

Why security rules protect data in Firebase - Why It Works

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Security rules control who can see or change your data in Firebase. They keep your data safe from people who should not access it.

When you want only logged-in users to read their own data.

When you want to prevent anyone from deleting important information.

When you want to allow users to update only specific parts of their profile.

When you want to block access to data during certain times or conditions.

When you want to protect sensitive data like passwords or payment info.

Config File - firestore.rules

firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Allow read/write only if user is authenticated
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
    // Deny all other access
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

This file sets rules for Firestore database access.

rules_version: Specifies the version of rules syntax.

service cloud.firestore: Applies rules to Firestore.

match /users/{userId}: Matches documents in the users collection.

allow read, write: Allows reading and writing only if the user is logged in and accessing their own data.

match /{document=**}: Denies all other access to any other documents.

Commands

This command uploads and activates the security rules to your Firebase project to protect your data.

Terminal

firebase deploy --only firestore:rules

Expected OutputExpected

=== Deploying to 'my-firebase-project'... ✔ firestore: rules ✔ Deploy complete! Project Console: https://console.firebase.google.com/project/my-firebase-project/overview

→

--only firestore:rules - Deploys only the Firestore security rules without affecting other Firebase services.

Starts a local Firestore emulator to test your security rules safely on your computer.

Terminal

firebase emulators:start --only firestore

Expected OutputExpected

i emulators: Starting emulators: firestore ✔ firestore: Emulator started at http://localhost:8080 All emulators started, it is now safe to connect your app.

→

--only firestore - Runs only the Firestore emulator.

Runs tests on your Firestore security rules file to check if they work as expected.

Terminal

firebase firestore:rules:test --file firestore.rules

Expected OutputExpected

Running Firestore security rules tests... All tests passed successfully.

Key Concept

If you remember nothing else from this pattern, remember: security rules control who can read or write your data to keep it safe.

Common Mistakes

Allowing read or write access without checking if the user is authenticated.

Anyone on the internet can see or change your data, risking privacy and data loss.

Always check if request.auth is not null before allowing access.

Writing rules that allow users to access other users' data.

Users can see or change data that does not belong to them, breaking privacy.

Use request.auth.uid == userId to restrict access to the user's own data.

Not testing rules before deploying.

Mistakes in rules can leave data unprotected or block legitimate access.

Use the Firebase emulator and rules test commands to verify rules work as intended.

Summary

Write security rules to allow only authenticated users to access their own data.

Deploy rules using the Firebase CLI to protect your database.

Test rules locally with the emulator to avoid mistakes before going live.