Firebase Security Rules Explained: Complete Guide for Firestore & Storage

Learn Firebase Security Rules for Firestore and Storage. Complete production guide with authentication checks, role-based access, validation rules, and best practices.

codingislife
codingislife
 Feb 15, 2026  0  288
 Add to Reading List

Introduction

Firebase makes backend development easy — but security is your responsibility.

By default, during development, many developers leave Firestore and Storage in test mode. This makes the database publicly accessible.

In production, incorrect security rules can:

  • Expose user data
  • Allow unauthorized writes
  • Increase billing costs
  • Compromise application integrity

In this complete guide, we will deeply explore:

  • How Firebase Security Rules work
  • Firestore rule structure
  • Authentication-based rules
  • Role-based access control
  • Data validation rules
  • Storage rules
  • Production best practices

How Firebase Security Rules Work

Firebase security rules are not filters. They act as gatekeepers. 

Request → Rules Engine → Allow / Deny

If rules return false, the request is rejected.

Basic Firestore Rule Structure

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    match /users/{userId} {
      allow read, write: if request.auth != null;
    }

  }
}

This allows only authenticated users to read and write.

Restrict User to Their Own Data

match /users/{userId} {
  allow read, write: if request.auth != null
                     && request.auth.uid == userId;
}

This ensures a user can only access their own document.

Role-Based Access Control

Example: Admin role stored in user document. 

match /adminData/{docId} {
  allow read, write: if request.auth != null
    && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "admin";
}

This checks user role before granting access.

Data Validation Rules

Ensure required fields exist. 

match /posts/{postId} {
  allow create: if request.auth != null
    && request.resource.data.keys().hasAll(['title', 'content'])
    && request.resource.data.title is string
    && request.resource.data.content is string;
}

This prevents invalid data from being stored.

Restrict Field Updates

allow update: if request.auth.uid == resource.data.userId
  && request.resource.data.userId == resource.data.userId;

Prevents changing ownership field.

Prevent Deleting Others' Data

allow delete: if request.auth.uid == resource.data.userId;

Storage Security Rules

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {

    match /profile_images/{userId}.jpg {
      allow read;
      allow write: if request.auth != null
                   && request.auth.uid == userId;
    }

  }
}

This ensures users can upload only their own profile image.

Block Public Access Completely

allow read, write: if false;

Useful for private collections.

Understanding request and resource

  • request.auth → current user
  • request.resource → new data being written
  • resource.data → existing data

Common Beginner Mistakes

  • Leaving test mode enabled
  • Using allow read, write: if true
  • Not validating fields
  • Not restricting user access
  • Trusting client-side validation

Security Rule Testing

Use Firebase Emulator Suite to test rules locally. 

firebase emulators:start

Production Security Checklist

  • Require authentication for private data
  • Restrict access to own documents
  • Validate required fields
  • Protect admin routes
  • Secure storage uploads
  • Enable Firebase App Check

App Check Recommendation

Firebase App Check ensures only your genuine app can access backend services.

Performance Impact

Security rules are evaluated before database execution. Complex rules can slightly impact performance. Keep them optimized.

Real-World Secure Structure Example

users
posts
orders
admin
  • Users can manage their own profile
  • Posts readable by public, writable by owner
  • Orders accessible only by buyer
  • Admin collection restricted by role

Final Advice

Security rules are your backend firewall. Never deploy without reviewing them carefully.

A secure Firebase app is not about complex code — it is about correct rule design.

Conclusion

Firebase Security Rules protect your Firestore and Storage. By combining authentication checks, role validation, and data validation rules, you can build secure, production-ready systems.

Next, we will explore: Firebase Cloud Messaging (Push Notifications Complete Guide).

Tags

Share

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Angry Angry 0
Sad Sad 0
Wow Wow 0