How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Mastering the Firebase Security Rule in 2026

Think of your Firebase security rules as the digital bouncers for your app. They're the ones standing at the door, deciding who gets in, what they can see, and what they’re allowed to touch. Getting these rules wrong is one of the most common ways developers accidentally expose user data, which makes them your most critical line of defence.

Your App's Digital Bouncer

A robot enforces Firebase security rules, acting as a data guard for VIP information in cloud storage.

Imagine your app's data is an exclusive VIP event. You wouldn't just let anyone wander in off the street, grab the microphone on the main stage, or start rummaging through guests' coats. A Firebase security rule acts as your bouncer, guest list, and access pass all rolled into one.

These rules are a set of instructions you write that live on Google’s servers, policing every single read, write, and delete request made to your databases and cloud storage. This is the very backbone of Firebase's serverless model. Instead of writing endless backend code to check permissions for every little action, you simply define the rules and let Firebase enforce them for you. It's incredibly powerful, but it also means the responsibility for protecting your data rests squarely on your shoulders.

The Myth of "Set It and Forget It" Security

A dangerous myth has taken hold in the developer community: that security is a one-time setup task. It’s tempting to start a project with wide-open rules for easy development, but far too often, developers simply forget to lock them down before going live. This is like throwing a VIP party and leaving the front doors wide open with no one checking tickets.

The most common misconfiguration, often called "read write true," leaves databases completely open to unauthorised access. Automated scanning for exposed Firebase instances primarily targets this basic open configuration, indicating that a substantial number of deployments still operate with dangerously permissive rules.

Leaving your rules in a permissive state isn't some theoretical risk; it’s a direct invitation for data scraping, vandalism, and abuse. Security isn't static. Every time you add a new feature or data collection, your rules must evolve along with it.

The Three Pillars of Firebase Data Security

Your security strategy has to cover every place you store data. Firebase rules provide a consistent yet distinct syntax for its three main data services, and understanding their individual roles is the first step toward building a secure application.

Here’s a quick breakdown of how security rules apply to each core Firebase service:

Each service requires a slightly different mindset. What works for Firestore might not translate directly to the Realtime Database, so it’s crucial to get the fundamentals right for each one.

Throughout this guide, we’ll move from these core concepts to practical, real-world examples. We'll show you exactly how to write, test, and deploy robust security rules for each of these services, ensuring your "digital bouncer" is always doing its job.

Writing Your First Firebase Security Rule

Alright, let's move from theory to practice and write our first security rule. We're not going to dive into a dense technical manual; instead, think of this as looking over a developer's shoulder as we piece together the fundamental building blocks.

A diagram illustrating path variables, authentication, and read/write authorization using a mailbox and card reader.

We'll start with the absolute basics and build up from there. By the time you finish this section, you'll be able to read simple security rules and have the confidence to start writing your own.

The Match Statement: Your Data's Address

Every Firebase security rule needs to know what data it’s protecting. That's the job of the match statement. It works like an address on an envelope, pointing to a specific path in your database.

In Firestore, for example, your rules file will start with a broad match block that covers the entire database.

rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { // Your rules will live inside here. } } This is a necessary first step, but it’s far too general for real-world security. You'll almost always want to drill down further. To target a specific users collection, for instance, you'd add another match statement inside.

// ...inside the service block match /users/{userId} { // Rules for a single user document go here. } This new line targets any individual document within that users collection. That {userId} part is a wildcard, and it’s a seriously powerful tool we’ll come back to in a moment.

The Allow Expression: The Permission Slip

Once you've told the rule where to look, you need to define who can do what. This is where the allow expression comes in, followed by the specific operations you want to permit.

The main operations you’ll work with are read and write.

allow read: Controls who can fetch or list data.
allow write: A convenient shorthand that covers creating, updating, and deleting data.

It's crucial to realise these permissions are not combined. If you grant someone write access, that does not automatically give them read access. You must explicitly allow read if they also need to see the data.

For any request to succeed, the condition following the allow expression must evaluate to true. If it's false—or if no rule matches at all—access is denied. This 'deny by default' approach is a core security principle in Firebase, ensuring your data is safe from the start.

The Request Object and Auth: Your Digital ID

So, how does Firebase know who's asking for the data? It uses the built-in request object. This object holds details about the incoming request, but its most valuable property is request.auth.

Think of request.auth as the user's digital ID card. If they're signed in via Firebase Authentication, it contains their unique ID (uid) and other useful token details. If the user isn't logged in, request.auth is simply null.

This is the absolute cornerstone of user-based security. It lets you write a simple rule that checks if a user is even logged in:

allow read, write: if request.auth != null; This is a great starting point, ensuring only authenticated users can do anything. But we can—and should—get much more precise. This is where path variables truly shine, and you can see how they fit into a complete security strategy in our Firebase security rules guide.

Path Variables for Dynamic Rules

Remember the {userId} wildcard from our match statement earlier? That’s what we call a path variable. It's a clever feature that captures the actual document ID from the path and turns it into a variable you can use in your rule.

This is what lets you create truly dynamic rules. The most common and essential security pattern is to let a user read and write only their own data.

match /users/{userId} { allow read, write: if request.auth.uid == userId; } Here’s what’s happening: the userId variable captures the ID of the document the user is trying to access. The rule then checks if the signed-in user's ID (request.auth.uid) is an exact match. If they match, access is granted. If not, it's denied.

With that one powerful line, you’ve effectively prevented users from reading or messing with each other's private data.

Common Pitfalls and Why Rules Are Deceptively Hard

When you first start writing Firebase security rules, they seem almost too simple. This simplicity is a trap. It’s dangerously easy to write a rule that works but leaves your entire application wide open, and the scariest part is that you’d never even know.

There's a strange paradox with security rules. If your rules are too strict, your app breaks instantly. Features stop working, users start complaining, and you have no choice but to fix it. But if they're too permissive? Everything runs smoothly. From your perspective, the app is working perfectly, and you're completely oblivious to the fact that you've left the front door unlocked until a malicious actor decides to walk right in.

The Infamous "Allow Read, Write: if true" Mistake

Every developer who has worked with Firebase has seen this line, often used during the early stages of a project just to get things moving. It looks innocent enough:

allow read, write: if true;

This one-liner grants universal read and write access to a path, effectively turning off all security. While it might feel handy for quick prototyping, forgetting to replace it before going live is a catastrophic error. It’s like installing a state-of-the-art security system in your house but leaving the master key under the doormat with a big sign pointing to it.

This isn’t just a hypothetical scenario. The truth is, getting a Firebase security rule right is incredibly difficult, even for experienced engineers. The smallest mistake in your logic almost always creates a security vulnerability. We’ve seen this lead to widespread data breaches in production apps, making them easy targets for attackers. You can find some sobering discussions on this very topic from Firebase engineering veterans on news.ycombinator.com.

Security Rule Calcification

The high-stakes nature of getting rules right leads to another big problem: security rule calcification. This is what happens when developers become so terrified of breaking a feature or, worse, opening a security hole, that they just stop touching the rules file altogether.

A Firebase security rule must evolve with every new feature you build. Treating security as a one-time setup task is a recipe for disaster.

This fear is completely understandable, but it’s a silent killer for your app's security. As your application grows, you'll add new data collections, user roles, and features. If your rules don't evolve at the same pace, you're guaranteed to leave gaps. That new user profile section might be unprotected, or that new admin dashboard could suddenly become accessible to everyone.

The only way around this is to treat your security rules as living code. They aren’t something you set once and forget; they need constant maintenance, testing, and review, just like the rest of your codebase.

Common Logical Flaws to Avoid

Beyond the obvious if true; blunder, a few other subtle yet severe logical flaws pop up all the time. You need to be on the lookout for these:

Incomplete Path Matching: You meticulously write a rule for /users/{userId} but completely forget to create one for a new /admins/{adminId} collection.
Assuming Authentication is Enough: Relying on if request.auth != null; is a common first step, but it does absolutely nothing to stop one logged-in user from reading or overwriting another user's data.
Ignoring Write Operation Granularity: Using a broad allow write is easy, but it allows creates, updates, and deletes. If a user should only be able to create a document, they shouldn't also have the power to delete it. Use allow create or allow update instead.
Neglecting Data Validation: Forgetting to use rules to check the type and format of incoming data (request.resource.data). This can lead to corrupted data and opens the door for abuse.

Right then, let's get our hands dirty. Knowing the theory behind Firebase security rules is one thing, but putting them into practice in a real-world app is where the rubber really meets the road. We're going to move past the textbook definitions and look at some solid, reusable patterns you can adapt for your own projects.

Think of these as battle-tested recipes from the front lines of app development. We'll start with the absolute essentials and build our way up to more complex, sophisticated security models.

Protecting User-Specific Data

This is the big one. If you get nothing else right, get this right. Making sure users can only touch their own data is the foundation of almost any application that has user accounts. Just imagine a social media app where you could read someone else's private messages—it’s a complete non-starter.

Let's say you have a profiles collection, and you cleverly use the user's authentication ID (uid) as the document ID. The rule to lock this down is beautifully simple but incredibly effective.

service cloud.firestore { match /databases/{database}/documents { // Match any document in the 'profiles' collection match /profiles/{userId} { // Allow read and write ONLY if the requesting user's ID // matches the document's ID. allow read, write: if request.auth.uid == userId; } } }

See what’s happening here? The userId wildcard grabs the ID from the document path, and we just check if it matches the ID of the logged-in user (request.auth.uid). It's a clean and direct way to give each user their own private space. Of course, this all hinges on having solid authentication in the first place, which you can read more about in our guide on Firebase Authentication security.

Public Read, Private Write Content

What about something like a blog post or a public comment? Everyone should be able to see it, but only the original author should be able to change or delete it. This is a classic pattern that requires splitting your read and write permissions.

To pull this off, you'll need to store the creator's uid inside the document itself. Let's imagine a posts collection where each post document has a field called authorId.

service cloud.firestore { match /databases/{database}/documents { match /posts/{postId} { // Anyone can read the post, even unauthenticated users. allow read: if true;

  // Only the original author can update or delete it.
  // The incoming data for an update must match the existing authorId.
  allow update, delete: if request.auth.uid == resource.data.authorId;

  // When creating a new post, ensure the authorId being set
  // matches the person creating it.
  allow create: if request.auth.uid == request.resource.data.authorId;
}

} }

Notice how we've broken write down into create, update, and delete. This gives us much finer control. We use resource.data to check the data that's already in Firestore, and request.resource.data to inspect the new data being sent. This simple distinction is crucial for stopping a user from creating a post and cheekily assigning it to someone else.

Implementing Role-Based Access Control

As your app gets more complex, you'll almost certainly need different access levels. Think users, moderators, and admins. A common approach is to manage these roles either in a separate users collection or by using Firebase Authentication's custom claims.

Let's stick with the collection approach for now. You could have a role field in each user's profile document.

Key Insight: To make role-based security work, your rules need to look up a user's role from another document. The get() function is your best friend here, allowing a rule to fetch data from anywhere else in your database.

Say you want to allow anyone with an admin role to delete any post. You'd add a bit of logic to your posts rule like this:

// Helper function to check the user's role function isAdmin() { return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin'; }

// ... inside the posts match block match /posts/{postId} { // ... other rules ...

// Admins can delete any post allow delete: if isAdmin() || request.auth.uid == resource.data.authorId; // original author can also delete } This is a seriously powerful technique, but don't forget that every get() call is a billable Firestore read. Use them wisely!

Cross-Service Rules for Complex Validation

Now for something really clever: writing a Firebase security rule for one service that checks data in another. A perfect example is validating a file upload to Cloud Storage by checking a user's permissions stored in Firestore.

This became much more straightforward after the September 2022 update, which introduced firestore.get() for Storage rules. You can now, for instance, check if a user has a "premium" subscription in their Firestore profile before letting them upload a massive file to Storage.

As the official announcement on the Firebase Blog explains, this convenience isn't free. Each firestore.get() call from a Storage rule adds a little latency—around 75 milliseconds for same-region requests and up to 200 milliseconds for cross-region requests. It also counts as a billable Firestore read, so it's a trade-off between convenience and performance.

Testing and Deploying Your Rules with Confidence

Getting your Firebase security rule logic right is a great first step, but it’s really only half the job. A rule that seems bulletproof on paper can still spring leaks when it meets the real world of your application. To sidestep any nasty surprises, you have to treat your rules just like any other mission-critical code. That means rigorous testing and a disciplined deployment process are non-negotiable.

Think of this as shifting your mindset from architect to quality assurance pro. The aim here is to build a safety net that catches errors long before they can ever impact a user or expose a single byte of data. It’s all about moving quickly without breaking things, ensuring every new feature ships with security baked in, not bolted on afterwards.

Local Testing with the Firebase Emulator Suite

Your first line of defence, and arguably your most powerful tool, is the Firebase Emulator Suite. Imagine it as a complete, self-contained Firebase project that runs entirely on your local machine. It's the perfect sandbox for putting your security rules through their paces against a local version of Firestore, Realtime Database, or Cloud Storage, all without any risk to your production data.

This local setup lets you simulate every scenario imaginable. You can test how your rules react to authenticated users, unauthenticated guests, or even users with specific custom claims, without ever touching your live authentication system. The Emulator Suite even includes a UI with the Rules Playground, a visual tool where you can simulate requests and see exactly which line of your rules granted or denied access.

This immediate feedback is incredibly valuable. It means you can write a rule, test its logic, spot a flaw, and fix it in seconds—not minutes or hours. For instance, you could simulate a user trying to edit another user’s profile and instantly get confirmation that your rule correctly blocked the attempt.

Writing Automated Unit Tests for Rules

While the Emulator UI is fantastic for quick manual checks, genuine confidence comes from automation. The Emulator Suite empowers you to write automated unit tests for your rules using popular frameworks like Jest or Mocha. This is where you can systematically verify every single access control scenario that your app relies on.

Here’s a typical way to structure your tests:

Set Up the Test Environment: First, you initialise the emulators and load the local database with some sample data that’s relevant to your test cases.
Simulate Requests: Next, you write tests that try to read, write, update, or delete data under various conditions—for example, as a logged-in user, an admin, or an anonymous visitor.
Assert the Outcome: For each test, you then assert whether the operation should be allowed (assertSucceeds) or denied (assertFails).

This approach transforms your security logic from a manual checklist into a repeatable, automated test suite. Now, every time you tweak your Firebase security rule file, you can run your tests to guarantee you haven’t accidentally created a regression or opened up a new vulnerability.

Treating your rules as code—with robust testing, versioning, and safe deployment—is the only sustainable way to manage security in a growing application. It moves security from a source of fear to a source of confidence.

This process becomes even more critical when dealing with cross-service rules, where one service needs to check data in another to make a decision. The flow diagram below shows just such a scenario.

Cross-service rules process flow diagram showing data storage, processing, and final decision stages.

Here, you can see how a request to Cloud Storage might trigger a lookup in Firestore to authorise the action. This kind of interaction makes automated testing essential for verifying that the entire chain of logic works as intended.

Safe Deployment and CI/CD Integration

Once your rules have passed all their tests, it’s time to get them into production. While the Firebase CLI makes deployment simple, you need to adopt a process that minimises risk. A cardinal rule: never, ever edit rules directly in the Firebase console for your production project. It's a recipe for manual errors and disaster.

Instead, your firestore.rules file should live in a version control system like Git, right alongside your app's source code. This gives you a complete audit trail of every change, making it easy to see who changed what, when, and why.

For a truly professional workflow, take it one step further and integrate rule deployments into your CI/CD (Continuous Integration/Continuous Deployment) pipeline. This means that every time you merge a change into your main branch, an automated process can:

Run your entire suite of security rule tests.
If all tests pass, automatically deploy the new rules to Firebase.

This automation ensures that no insecure code ever makes it to production. It removes the element of human error from the deployment process and gives your team the confidence to make changes, knowing a solid safety net is always in place.

Right, you’ve written your rules, tested them in the emulator, and deployed them carefully. That’s a solid start, but let's be honest—it’s not enough. Even the most disciplined teams can miss subtle flaws in a complex Firebase security rule, especially when you're shipping features quickly. This is where manual best practices hit a wall and automated security needs to take over.

The reality is that your rules are a critical attack surface. Relying solely on unit tests and manual checks is like proofreading a novel by only checking for spelling mistakes—you’ll miss the gaping plot holes. For any team moving fast, continuous security scanning isn't just a nice-to-have; it's a fundamental part of the development cycle. It’s your automated "red team," constantly probing your defences for the kinds of logical gaps that a human review or a simple syntax check will almost always miss.

Going Beyond Basic Syntax Checks

This is exactly why tools like AuditYour.App were created. It’s built to find critical flaws before an attacker does, going far beyond what the Firebase Emulator can manage on its own. The emulator is fantastic for checking that your rules work as expected, but it does nothing to search for unexpected vulnerabilities.

An automated scanner connects the dots between your data structure, your rules, and your app's logic. It's designed to spot the tricky issues that only appear when everything works together, such as:

Subtle Data Leaks: Finding edge cases where one user can accidentally read another user's private information.
Exposed Data Paths: Identifying collections that have been unintentionally left open for public reading or writing.
Logical Flaws: Uncovering scenarios where a chain of allow conditions creates an exploitable loophole.

Here's how AuditYour.App shows you these findings. It immediately flags the most critical vulnerabilities in your Firebase project.

A dashboard like this gives you a clear, at-a-glance report card on your security health, turning abstract rule files into something concrete and actionable.

The Power of an Automated Red Team

Perhaps the most powerful thing an advanced scanner can do is prove that a data leak is possible. For instance, AuditYour.App uses a technique called RLS logic fuzzing. It systematically throws thousands of different user identities and data requests at your rules to confirm if a read or write operation can slip through the cracks. This isn't a theoretical warning; it's hard proof of a vulnerability.

An automated scanner is the safety net that lets your team ship features quickly and confidently. It doesn’t replace good development habits—it reinforces them by catching what humans inevitably miss.

What's more, integrating AI-assisted findings helps you quickly get to the bottom of an issue. The tool not only tells you what's wrong but also provides clear advice on how to fix it. This combination of deep scanning and intelligent reporting closes the loop between spotting a problem and getting it solved. If you want to see how this works in practice, have a look at our automated security scanning guide.

Ultimately, bringing an automated tool into your workflow shifts your security posture from being reactive to proactive. It provides the continuous assurance you need to build and iterate on your Firebase app, knowing your digital bouncer is always on high alert.

Firebase Security: Your Questions Answered

As you dive into securing your Firebase app, you'll inevitably run into a few common hurdles. It happens to everyone. Let's clear up some of the most frequent questions that pop up.

What's the Real Difference Between Firestore and Realtime Database Rules?

While they both secure your data, the way they do it is fundamentally different. It's not just a syntax change; their entire logic model is distinct.

Firestore Rules: These are the modern, more powerful option. They give you incredibly fine-grained control. The big win here is non-cascading logic, meaning a rule on a parent document doesn't automatically apply to its subcollections. You can also perform powerful server-side validation using functions like get() and exists() to check other documents before allowing an operation.
Realtime Database Rules: These use an older, JSON-based structure. Their defining feature is that they cascade. If you grant someone read access to a path, they can read everything nested underneath it, no exceptions. This can be simpler for basic apps, but it's far less flexible and can easily lead to accidentally exposing data.

How Do I Figure Out Why My Rule Isn't Working?

Debugging a rule that’s blocking a valid request (or worse, allowing an invalid one) is a core skill. Your best friend here is the Firebase Emulator Suite, specifically its Rules Playground.

This tool is a lifesaver. It lets you simulate requests as if you were any user—authenticated or not—and run them against your rules. The playground then shows you exactly which line of code led to the allow or deny decision. It’s the fastest way to iron out logic bugs before you even think about deploying.

If you're troubleshooting a live issue, head over to the 'Rules' tab in your Firebase console. It logs recent evaluations and any errors, which can give you clues about what's going wrong in production.

A classic trip-up for newcomers: read and write permissions are completely independent. Just because you give a user allow write access doesn't mean they can see a single piece of data. You have to grant allow read separately.

Can a User Read Data If They Only Have Write Access?

Absolutely not. Firebase rules work on a principle of explicit permissions; there are no "bonus" permissions. The read and write operations are treated as entirely separate actions.

If your rule only grants allow write: if request.auth != null;, an authenticated user can create, update, or delete data in that path, but any attempt to fetch it will be denied. They are effectively writing into a black box. If you want them to see the content they're managing, you must add an explicit allow read rule.

Stop guessing about your app's security. AuditYour.App acts as an automated red team, finding subtle misconfigurations and data leaks in your Firebase rules before attackers do. Get your free scan and upgrade your security grade in minutes at https://audityour.app.