How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Your Guide to Firebase Authentication Security

When we talk about Firebase Authentication security, the biggest threat isn't some sophisticated flaw in the service itself. It’s almost always simple, human error. A misconfiguration is all it takes to leave your user data completely exposed. It’s a bit like having a state-of-the-art security system on your house but leaving the front door unlocked. The lock is great, but it’s useless if you don't use it properly.

The Hidden Dangers in Default Configurations

Firebase is designed to help developers get up and running fast, and it’s brilliant at that. But this speed can come with a hidden security cost. It’s incredibly easy, especially if you’re new to the platform, to overlook a critical setting and accidentally create a vulnerability. Imagine being handed the keys to a high-performance sports car with all the safety features disabled by default—it’s powerful, but you’re heading for disaster without a proper setup.

The most common and damaging mistake we see is launching an app with overly permissive security rules. A default rule like .read: true is a perfect example. It's handy for a quick test because it grants anyone on the internet read access to your entire database. Forgetting to tighten that rule before going live is catastrophic. You’ve basically just wheeled your company’s filing cabinets out onto the street for anyone to sift through.

Real-World Consequences of Misconfiguration

This isn't just a theoretical problem; these mistakes have led to enormous data breaches. In one major security incident in March 2024, misconfigurations across more than 900 Firebase-powered websites left at least 125 million user records exposed. This wasn't trivial data, either—it included 106 million email addresses and 20 million plaintext passwords, all because the backend data wasn't properly secured. You can explore the full details of this widespread Firebase security failure to understand the sheer scale of the problem.

To help you get a quick overview of the most common issues we find, here’s a summary of the typical vulnerabilities and their impact.

Firebase Authentication Security at a Glance

This table covers the low-hanging fruit for attackers, but it's by no means an exhaustive list. The core issue remains the same: Firebase gives you the tools to be secure, but it’s entirely on you, the developer, to implement them correctly.

Other common attack vectors that we frequently encounter include:

Exposed API Keys: While some Firebase keys are designed to be public, developers sometimes accidentally commit privileged server-side keys into their client-side code. This gives an attacker a direct, trusted line into your backend.
Lack of Server-Side Verification: Relying only on the client to tell you a user is logged in is a recipe for disaster. Any determined attacker can bypass checks in the browser or mobile app and hit your database directly unless you’re verifying user ID tokens on your server.
Unprotected Cloud Functions: An HTTP-triggered Cloud Function without an authentication check is just an open, public API. It's a prime target for abuse, whether for stealing data or running up your cloud bill. You can learn more about how this leads to an authenticated data leak in our detailed guide.

The core danger lies in the "move fast and break things" culture colliding with security fundamentals. A configuration that takes seconds to set up for a prototype can become a permanent, gaping security hole if not revisited before launch. Proactive security isn't a "nice-to-have"; it's a non-negotiable part of the development lifecycle.

Understanding How Firebase Authentication Really Works

To properly secure your app, you first need to get your head around what’s actually happening behind the scenes. Solid Firebase authentication security isn’t about ticking boxes on a checklist; it’s about truly understanding how Firebase knows who your users are and, just as importantly, how it trusts them. At its core, it's a slick, well-rehearsed exchange of digital credentials.

Let’s think of it like going through airport security. A user first shows their "passport" to Firebase—this might be their email and password, or credentials from a social provider like Google or Apple. These are known as Identity Providers. Once Firebase has checked that the passport is legit, it doesn't need to see it again for every single interaction.

Instead, Firebase issues a temporary, digitally signed "boarding pass" called a JSON Web Token (JWT). This token is a small, self-contained, and tamper-proof credential that your user's app (the client) holds onto. It then shows this JWT with every request it makes to your backend services, like Firestore or Cloud Functions. In effect, the token is constantly saying, "I'm User X, and Firebase has already confirmed my identity."

The real danger lies in getting the setup wrong. A simple misconfiguration can easily become a major attack vector, often leading to serious data breaches.

A Firebase security concept map showing misconfiguration leading to Firebase, which can cause data breaches.

As you can see, the path from a small mistake to a full-blown breach is frighteningly short, which is why we have to get this right.

The Lifecycle of a Firebase ID Token

The whole security model depends on the lifecycle of this JWT, or ID Token as it's often called. If you can follow a token from the moment it's created to the moment it expires, you’ll be in a much better position to spot potential weaknesses.

Here’s how the process breaks down:

User Sign-in: The user enters their details into the Firebase Authentication SDK on your web or mobile app.
Provider Verification: Firebase takes those details and checks them with the chosen Identity Provider (whether that's its own email/password system or an external one like Google's).
Token Issuance: Once the user is verified, the Firebase Authentication service creates a short-lived ID Token and sends it back to the app. This token contains key details like the user's unique ID (UID), the sign-in method, and, crucially, an expiry time.
Client-Side Storage: Your app stores this token and includes it with any requests to access protected resources.
Backend Validation: When a request hits a service like Firestore, the first thing it does is check the ID Token. It verifies the digital signature to make sure the token is genuine and hasn't been messed with. It also checks that the token hasn't expired. Only if everything checks out does it let the request proceed.

Key Insight: Firebase ID tokens have a default lifetime of just one hour. This isn't an accident; it's a deliberate security design choice. If a token ever gets intercepted, its usefulness to an attacker is limited to a very brief window.

The Role of Refresh Tokens

So, what happens after that hour is up? Do you force the user to log in all over again? Thankfully, no. This is where Refresh Tokens come in.

When Firebase issues the short-lived ID Token, it also provides a much longer-lived Refresh Token. The Firebase SDK stores this token securely and uses it quietly in the background. When the main ID Token is about to expire, the SDK automatically uses the Refresh Token to get a brand new ID Token, all without interrupting the user. You rarely have to touch this process yourself; it just works.

But this reliance on client-side tokens brings us to a critical weak point in Firebase authentication security. What if an attacker doesn't even use your app? What if they craft their own malicious requests and send them directly to your backend? This is precisely why just trusting the client is never enough. You absolutely need server-side validation, a point we'll dive into later.

For now, getting the fundamentals right is your first line of defence. Our guide on Firebase Security Rules and Functions is the perfect place to start building that solid foundation.

Common Firebase Misconfigurations and How to Spot Them

Exposed API key and permissive 'read' rule with .env leak warning, depicting security vulnerabilities.

Knowing the theory behind Firebase is one thing. Finding the actual weak spots in your own application is where the real work of security begins. Most security breaches aren't the result of some elaborate, Hollywood-style hack; they’re caused by simple misconfigurations—the digital equivalent of leaving the back door unlocked.

These errors often creep in under the pressure to launch quickly. We use default settings that make development a breeze but leave our production apps wide open. It’s a classic case of convenience today causing a catastrophe tomorrow.

Think of it like a pre-flight checklist. Before a plane takes off, every critical system has to be checked. A single overlooked switch can have disastrous consequences, and the same principle applies to your Firebase authentication security. We're not talking about complex zero-day exploits here, but basic, avoidable mistakes.

A sobering report from the UK government’s Cyber Security Breaches Survey 2023 shows just how much basic digital hygiene is slipping. The use of password policies dropped from 79% to 70% and network firewalls fell from 78% to 66% between 2021 and 2023. For those of us building on Firebase, this is a stark reminder of the risks we run by neglecting the fundamentals.

So, let's dive into the most common mistakes I see in the wild. I'll show you exactly what they look like in the code so you can become your own best security auditor.

Overly Permissive Security Rules

This is, by far, the most frequent and damaging vulnerability in Firebase projects. Your Security Rules are the gatekeepers for your data in Firestore, Realtime Database, and Cloud Storage. When those rules are too broad, you might as well have no gatekeeper at all.

The most notorious culprit is the set of rules often used for initial testing, simply to get things working:

// DANGEROUS: Do NOT use in production { "rules": { ".read": "true", ".write": "true" } }

This configuration literally allows anyone on the internet to read and write to your entire database. It’s an open invitation for data theft and vandalism. A slightly more subtle—but still dangerous—mistake is allowing any authenticated user to access everything:

// STILL DANGEROUS: Any user can read/write any data { "rules": { ".read": "auth != null", ".write": "auth != null" } }

While this might seem like an improvement, it means any logged-in user can snoop on, modify, or even delete another user's private data. This is a massive privacy breach just waiting to happen.

How to spot it:

Audit your Security Rules in the Firebase console. Hunt for any instance of .read: "true" or .write: "true".
Look for rules that only check for authentication (auth != null) without also validating that the user's ID (auth.uid) matches the data they're trying to access.

Exposed Environment Variables and API Keys

API keys are another huge point of confusion and risk. Let’s be clear: your client-side Firebase config object, which includes the apiKey, is designed to be public. It simply identifies your project to Google's servers; it doesn't grant any special permissions on its own. Your Security Rules are what handle that.

The real danger lies in mishandling privileged keys. These are the secrets that absolutely must remain secret.

Server Admin SDK credentials: This is the JSON file that gives you 'god mode' over your entire Firebase project.
Third-party service keys: Think of keys for services like Stripe, SendGrid, or any other API you call from your Cloud Functions.

These keys should never, ever find their way into your client-side code. Committing them to a public GitHub repository is like handing over the master key to your entire business.

How to spot it:

Scan your frontend code (your JavaScript files) for anything that looks like a secret key or password.
Check your .env files. Are they listed in your .gitignore? If not, you risk committing them publicly.
Review your Cloud Functions. Make sure they load secrets from a secure environment like Cloud Secret Manager, not from hardcoded strings in the code.

Right, you know the theory and the common pitfalls. Now for the practical part: rolling up your sleeves and actually hardening your Firebase setup.

Actionable Steps to Harden Your Firebase Authentication

A diagram with the Firebase logo on a shield surrounded by four security methods: Security Rules, Server-side verification, App Check, and Restricted API Keys.

Securing your Firebase project isn't about finding one secret setting. It's a defence-in-depth strategy, where you systematically layer protections to turn those weak spots we talked about into a solid perimeter.

Let's walk through the concrete steps, turning those insecure 'before' states into the hardened 'after' configurations you need. This is your checklist for locking things down, complete with the code to get it done.

1. Write Strict and Specific Security Rules

This is your number one priority. Overly permissive rules are the front door for attackers. Your goal should be to enforce the principle of least privilege—only give users access to the absolute minimum they need to function.

Remember those dangerously open rules from before? Let's slam that door shut. Instead of a free-for-all, we'll enforce real conditions.

A classic and essential pattern is making sure users can only touch their own data. You do this by checking the incoming request's authenticated user ID (request.auth.uid) against the document's ID or a userId field inside it.

Here’s what a secure rule looks like for a users collection, where each user's document ID is their UID:

// SECURE: Users can only read/write their own data rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { // Only allow a user to access their own user profile document match /users/{userId} { allow read, write: if request.auth.uid == userId; } } }

This one rule is incredibly effective. It instantly prevents one user from snooping on or modifying another user's profile, which is one of the most common ways data leaks happen. You should apply this same logic across any collection containing user-specific data.

2. Always Verify Tokens on the Server-Side

Never, ever trust the client. An attacker can easily bypass your frontend code and hit your backend APIs directly. The only watertight way to stop this is to verify the user's ID token on your server before running any sensitive operations.

Cloud Functions are the perfect tool for this job. Before your function does anything important, it must use the Firebase Admin SDK to check that the ID token sent from the client is valid and hasn't been tampered with.

By verifying the token on the server, you establish a chain of trust that cannot be faked from the client side. This check confirms the user's identity is legitimate and that the request hasn't been tampered with, forming a non-negotiable part of your Firebase security posture.

Here’s a simple Cloud Function showing how this verification works in practice:

// SECURE: Verifying the ID token in a Cloud Function const functions = require('firebase-functions'); const admin = require('firebase-admin'); admin.initializeApp();

exports.processUserData = functions.https.onCall(async (data, context) => { // First, check if the request is even authenticated. if (!context.auth) { throw new functions.https.HttpsError( 'unauthenticated', 'The function must be called while authenticated.' ); }

// Authentication is verified. context.auth.uid is now trustworthy. const uid = context.auth.uid; console.log(Verified request from user: ${uid});

// Now, and only now, can you safely proceed with the function's logic. // ... });

This pattern guarantees that your backend code only ever executes for genuine users, closing a massive hole in your defences.

3. Lock Down API Keys and Enforce App Check

Your client-side API key might be public by design, but that doesn't mean it should be a free-for-all. It's crucial to restrict it in the Google Cloud Console to prevent abuse, such as attackers running up your bills with quota-draining attacks. You should apply API restrictions, whitelisting only your app's domain, IP addresses, or mobile app bundle IDs.

For the next level of client-side protection, you need to enable App Check. Think of it as a bouncer at the door of your Firebase backend. It checks credentials to make sure requests are coming from your genuine, untampered app—not from a bot, a script, or some rogue client.

App Check uses an attestation provider to prove the client is legitimate:

Web Apps: Use reCAPTCHA Enterprise for silent, behind-the-scenes verification.
Mobile Apps: Use Play Integrity on Android or DeviceCheck/App Attest on iOS.

Once it's switched on, you can enforce App Check across Firestore, Cloud Functions, and other services. This creates a powerful shield that blocks a huge amount of fraudulent traffic before it can even test your Security Rules. It's a high-impact security win you can enable with just a few clicks.

To give you a quick reference, here’s a checklist comparing common weak spots with the secure configurations we've just discussed.

Firebase Hardening Checklist

| Security Layer | Insecure Default/Common Practice | Recommended Secure Configuration | | :--- | :--- | :--- | | Security Rules | allow read, write: if true; or if request.auth != null; | allow read, write: if request.auth.uid == userId; (Enforce resource ownership) | | Backend Logic | Trusting data/UIDs sent from the client app. | Verifying ID tokens in a server environment (e.g., Cloud Functions) using the Admin SDK. | | API Key Security | Using an unrestricted, public API key. | Applying HTTP, IP, or App restrictions to the key in the Google Cloud Console. | | Client Verification | No verification; any client can send requests. | Enabling and enforcing App Check with a provider like reCAPTCHA or Play Integrity. | | User Sign-up | Allowing anonymous sign-up or simple email/password without checks. | Enabling email verification, multi-factor authentication (MFA), and rate limiting sign-ups. |

Working through this checklist is a great start. But security isn't a one-time task; it's a continuous process. Automated tools that scan for these kinds of misconfigurations, like AuditYour.App, are built to catch these issues early and can be integrated into your development lifecycle to ensure you stay secure.

Automating Security with Continuous Monitoring

Building a secure app isn't a one-and-done task; it's a continuous process. In today’s world of rapid development, new code is often pushed daily. While this pace is fantastic for innovation, it also means new security holes can easily slip through the cracks. This is where automation stops being a luxury and becomes an absolute necessity.

The key is to "shift security left"—a fancy way of saying we need to build security checks into the earliest stages of development. Rather than waiting for a frantic, last-minute audit before a major launch, security becomes a routine, automated part of every single code change. This practice of continuous monitoring is what will keep your Firebase authentication security strong for the long haul.

Integrating Scanners into Your CI/CD Pipeline

So, how do you make this happen in practice? The most effective approach is to bake security scanning directly into your Continuous Integration and Continuous Deployment (CI/CD) pipeline. Imagine a tireless security expert automatically inspecting every piece of new code for common flaws before it ever gets merged into your main branch.

That's exactly what an automated security scanner does. These tools are built to programmatically hunt for the very issues we’ve been discussing:

Overly generous security rules that accidentally leave data open to the public.
Unprotected Cloud Functions that are missing vital authentication checks.
Exposed API keys or other credentials mistakenly committed to the repository.
Outdated libraries with well-known, exploitable vulnerabilities.

When you set this up, your pipeline can automatically block a build if it detects a critical security flaw. The developer gets instant feedback, allowing them to fix the problem immediately—not weeks or months down the line when it’s discovered by an attacker.

A modern scanner gives your team a clear, immediate picture of your app's security health, as you can see in the example dashboard below.

This kind of visual overview instantly flags the most critical risks, helping developers prioritise what to fix without needing to be security gurus themselves.

The Business Case for Automated Security

Bringing these tools on board isn't just a good technical habit; it's a smart business move. The cost of a data breach, both in fines and lost reputation, can be devastating. According to the UK government's Cyber Security Breaches Survey, the average cost for a business hit by a cyber crime incident is a staggering £15,300. Despite this, awareness of security best practices is worryingly low—only 9% of businesses are reported to adhere to the ISO 27001 standard.

Automated security tools help bridge that awareness gap. They act as an embedded expert, constantly checking your configuration against known attack patterns and providing a crucial safety net that manual reviews can easily miss.

This proactive stance shifts your team's mindset from reactive fire-fighting to preventative engineering. Instead of scrambling to patch a breach after the damage is done, you empower your developers to build secure code from day one. To learn more about how to put these systems into action, our guide on automated security scanning offers a thorough walkthrough. It explains how to integrate these powerful tools into your workflow, ensuring your Firebase application stays safe as it scales.

Your Firebase Authentication Security Questions Answered

When you're deep in the trenches building your app, it’s only natural for specific security questions to crop up. The official documentation gives you the "what," but it's the "why" and "what if" that often cause the most head-scratching. Let's clear up a few of the most common points of confusion I see developers struggle with.

Think of this as a practical chat about those tricky scenarios that can make or break your app's security. We'll get straight to the point with clear, actionable answers.

Is It Safe to Store My Firebase API Key on the Client Side?

Yes, for the most part, it is. It might feel wrong, but the standard Firebase API key you find in your client-side config object is designed to be public. Its job is simply to identify your Firebase project to Google's servers.

Think of it less like a secret password and more like your office's street address. It tells people where to find you, but it doesn't give them the keys to get inside. Your real security comes from your Firebase Security Rules and any server-side validation you perform.

However, there's a huge caveat: you absolutely must restrict your API key in the Google Cloud Console. Without restrictions, anyone could grab your key, plug it into their own project, and start hammering your Firebase services, potentially running up a massive bill. This is a common and costly form of abuse. And it should go without saying, but never, ever embed privileged server-side keys in your client-side code.

How Do I Protect Against Brute Force Attacks?

Firebase does give you a head start here, with built-in protections that automatically disable accounts after a string of failed login attempts. But you can, and should, do more.

First, head to your Firebase project settings and enable Email Enumeration Protection. This simple toggle stops attackers from figuring out which user emails are registered in your system just by trying them at the sign-in page.

A crucial second step is implementing App Check. It verifies that login requests are coming from your genuine app, not from an automated script or bot. This is your most powerful defence, effectively stopping most brute-force attempts before they even reach the authentication service. I can't recommend it enough.

What Is the Difference Between Security Rules and App Check?

This is a fantastic question because they sound similar but serve entirely different purposes. Getting this right is key to a layered defence. They each answer a different, fundamental question:

Security Rules are all about authorisation. They ask, "Is this particular user allowed to do this specific thing to this piece of data?" For instance, a rule can ensure a user can only edit a profile document if the document's ID matches their own user ID (uid). They control what authenticated users can do inside the house.
App Check is all about attestation. It asks, "Is this request coming from a legitimate, untampered version of my application?" It's your bouncer at the front door, blocking traffic from dodgy clients, bots, and scripts, even if they somehow have valid user credentials.

To put it simply: App Check guards the front gate, and Security Rules guard the individual rooms inside. You really do need both.

Ready to stop guessing and start knowing? AuditYour.App provides continuous, automated scanning to find critical Firebase misconfigurations before they become a threat. Go from security uncertainty to shipping with confidence in minutes. Get your free scan today.