How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Your Guide to Bulletproof Firebase Database Security

When we talk about Firebase security, what we’re really talking about are the rules you write to control who can see and change the data in your Realtime Database or Cloud Firestore. This isn't just a checkbox on a deployment list; it's a fundamental layer of defence that you, the developer, are entirely responsible for building correctly.

Why Firebase Security Is Your First Line of Defence

Cartoon illustrating Firebase Realtime Database as an open safe and Cloud Firestore as a locked door with security rules.

Picture your Firebase database as a digital strongroom filled with your users' valuable information. Without proper security, the door to that strongroom is left wide open. Anyone with the URL can walk right in, look through everything, and even set it all on fire. That’s not a hypothetical scenario; it’s the out-of-the-box reality for many Firebase projects.

The root of the issue is that Firebase is often intentionally left insecure during setup to make development faster and easier. This deliberate trade-off for speed puts the onus squarely on you to lock it down. True Firebase database security isn't about fancy cryptography; it's about writing clear, logical rules that act as the bouncer for your application's data.

Before we dive deeper, let's quickly summarise the core concepts that form the bedrock of a secure Firebase application. These are the pillars we'll be exploring throughout this guide.

Firebase Security Pillars at a Glance

These three pillars work together. Authentication tells you who is at the door, and your security rules decide if they're allowed inside and what they can do once they get there.

The Two Locking Mechanisms

Firebase gives you two primary database options, and each comes with its own unique security model. Think of them as two different types of locks.

Realtime Database: This is the original Firebase database, a NoSQL database that stores data as one large JSON tree. Its security rules are also written in a JSON-like format, creating a cascading structure that mirrors your data.
Cloud Firestore: The newer, more scalable NoSQL database. Firestore organises data into documents and collections. Its security rules use a more flexible, script-like syntax, giving you the power to write much more complex and granular validation logic.

Knowing which one you’re using is step one, because their rule syntax and capabilities are completely different.

The most important mental shift for any developer is realising that client-side code can always be pulled apart and manipulated. Your Firebase security rules are the only thing standing between your data and a malicious actor, because they are enforced on Google's servers.

An Absolute Necessity

Ultimately, getting your security rules right isn't just a "best practice"—it's non-negotiable. A single misconfiguration can open the door to a devastating data breach that shatters user trust or total data loss that kills your app. Recent research has shown thousands of apps have leaked sensitive user data due to poorly written rules, proving this is a widespread and ongoing problem.

This guide is designed to give you the practical skills to go from a vulnerable default state to a securely fortified database. We’ll cover everything from the crucial partnership between Authentication and security rules to advanced techniques for testing and monitoring. By the time you're done, you'll know how to build a fortress around your data.

Connecting Authentication and Security Rules

Firebase Authentication and your database security rules are two sides of the same coin. On their own, they’re useful, but when they work together, they become the backbone of your application's security. It's a critical partnership you can't afford to get wrong.

Think of Firebase Authentication as the bouncer at your app's front door. Its one and only job is to rigorously check IDs and verify who each user is. Whether they sign in with an email and password, a social account, or a phone number, Authentication confirms their identity and hands them a unique, tamper-proof token. This token is their digital pass for the night.

But that pass only gets them in the door. It proves who they are, not what they're allowed to do. This is where your security rules come in. They are the internal security team, checking that pass to decide which rooms (data paths) the user can enter and exactly what they can do once inside.

The Secret Handshake of Firebase Security

So, how do these two systems talk to each other? The magic happens via the request.auth object, which is automatically available inside your security rules. When an authenticated user tries to access your database, Firebase attaches their auth token to the request. Your rules can then inspect the information baked into that token, most importantly, the user's unique ID (uid).

The request.auth.uid variable is the lynchpin of Firebase database security. It gives your rules the verified identity they need to make smart, user-specific access control decisions. Without it, your rules are essentially flying blind, unable to tell one user from another.

This simple connection lets you write incredibly powerful rules based on data ownership. For instance, a user should always be able to edit their own profile, but they should never be able to touch anyone else's. By comparing the incoming request.auth.uid to the user ID stored in the document's path, you create an unbreakable link between a user and their data. A solid understanding of both authentication and authorisation is fundamental, and you can learn more about securing user identity in our comprehensive Firebase Authentication security guide.

The example below shows just how this connection works in a real rule.

This screenshot from the official Firebase documentation shows a basic but essential rule: only allow a user to read or write their own data. It works by matching the authenticated user's uid with the {userId} wildcard in the document path.

Writing Basic Read and Write Rules

At the heart of it all are the .read and .write rules. These are the most fundamental controls you have, determining who can fetch data and who can create, change, or delete it. Let's see what this looks like in practice for both Firestore and the Realtime Database.

Firestore Example: User Profile Rule

In Cloud Firestore, you'll often have a users collection where each document's ID is the user's uid. A secure rule for this setup is beautifully simple.

service cloud.firestore { match /databases/{database}/documents { // Only allow a user to read and write their own document // in the 'users' collection. match /users/{userId} { allow read, write: if request.auth.uid == userId; } } }

This rule is concise but packs a punch. It declares that for any document inside the /users/ collection, access is granted only if the logged-in user's ID (request.auth.uid) perfectly matches the document's ID (userId). This one line is all it takes to stop users from snooping on or messing with each other's profiles.

Realtime Database Example: User Data Rule

The same principle applies to the Realtime Database, just with a different syntax. Here, your data is one big JSON tree, and rules cascade downwards.

{ "rules": { "users": { "$uid": { // Allow read and write access only if the // authenticated user's ID matches the path's $uid. ".read": "auth.uid == $uid", ".write": "auth.uid == $uid" } } } }

In this JSON structure, $uid is a wildcard that represents any key under the users path. The rules inside then check if the built-in auth.uid variable (the logged-in user's ID) is the same as that key. If they match, access is granted. If a user tries to access /users/some_other_uid, the check fails, and the request is denied. This is how you achieve perfect data isolation for every user.

Alright, let's move from theory to the real world. It's one thing to understand how security rules should work, but it's far more valuable to see where developers commonly trip up. These aren't just hypothetical risks; these are the all-too-common blunders that have led to serious data breaches in thousands of apps.

By looking at these classic mistakes, you'll learn to spot the warning signs in your own projects. The goal here isn't just to write rules, but to build a defensive mindset that protects your data at every turn.

The Infamous Test Mode Trap

If there's one mistake that stands above all others in terms of frequency and potential for disaster, it's this: leaving a database in test mode. It often happens during the frantic early days of development. For the sake of convenience, you set up a simple rule, telling yourself you'll fix it later.

Then you forget.

// DANGER: This rule allows anyone to read and write all data! // This should NEVER be used in a production environment. { "rules": { ".read": "true", ".write": "true" } }

This tiny snippet of code effectively dismantles every security measure you have. It’s the digital equivalent of leaving your front door wide open with a neon sign flashing "Help Yourself!" Anyone who stumbles upon your project's URL can read, alter, and delete your entire database. No password, no login, nothing.

The Consequences of Open Doors

The fallout from an oversight like this can be catastrophic. Think about what a malicious user could do with that kind of unfettered access:

Wipe your entire customer database, causing irreversible data loss and bringing your app to a screeching halt.
Steal sensitive user information, destroying your users' trust and creating a privacy nightmare.
Grant themselves admin privileges by simply editing their own user profile, effectively hijacking your application.

This is precisely why a proper security flow is so important. A request should always be challenged before it ever gets near your data.

Diagram illustrating the Firebase security flow: User authentication, authorization, and data protection.

As you can see, a secure system first uses Authentication to confirm who the user is. Only then do the Security Rules step in to decide what they are allowed to do. Leaving your database wide open bypasses this entire, critical process.

Failing to Validate User Input

Another incredibly common disaster is placing too much trust in the data sent from your app. A savvy attacker won't use your app's user interface; they'll bypass it and send handcrafted, malicious requests directly to your database endpoint. If you aren't validating that data on the server-side with your rules, you're asking for trouble.

For example, imagine your user profiles have a role field. If you don't write a rule that explicitly locks down who can edit that field, what’s to stop a user from sending a simple update request to promote themselves? {'role': 'admin'}. Just like that, they're in control.

Your security rules are your last, and most important, line of defence. Never, ever trust the client. You must always validate the shape, type, and content of incoming data (request.resource.data) before you allow any write operation.

A robust rule would strictly limit who can modify the role field or ensure it can only be set to non-privileged values. This is a foundational principle of solid Firebase database security.

Accidentally Exposing Sensitive Data

Even when you have authentication in place, it's surprisingly easy to write rules that are too generous, accidentally exposing sensitive information. A classic case is granting broad read access to an entire collection, forgetting what might be hiding inside some of those documents.

Let's say a rule allows any logged-in user to read the entire users collection. This might seem harmless—you just want to display a list of usernames. But what if those user documents also contain private email addresses, phone numbers, or other personal data? You've just created a data leak.

To prevent this, you need to be surgical with your data structure and rules:

Grant access narrowly. Only give users permission for the specific documents and data paths they absolutely need to do their job. No more.
Separate public and private data. A brilliant strategy is to split user data. For instance, create /users/{userId}/publicProfile for display names and avatars, and a separate /users/{userId}/privateDetails for emails and phone numbers. Apply much stricter rules to the private collection.
Think like an attacker. For every single rule you write, stop and ask yourself, "How could someone abuse this?"

Learning from these common disasters will help you develop that crucial security-first mindset. It's what separates a functional app from one that is a genuinely safe and trustworthy home for your users' data.

Right, knowing the common pitfalls is one thing, but actually putting strong security rules into practice is a whole different ball game. This is where we stop talking theory and start writing secure code. These are the actionable strategies that will form the core of your Firebase database security.

If you take only one thing away from this guide, let it be the Principle of Least Privilege. It’s a simple concept with massive implications: only grant a user the absolute minimum access they need to do their job, and nothing more. If someone just needs to read data, don't give them write access. If they only need their own profile document, don't let them see the entire user collection.

Getting this mindset right is crucial. Think of every permission you grant as a potential doorway for an attacker. Your default stance should always be to deny access, only opening a door when a specific, justifiable need arises.

Embrace the "Never Trust the Client" Mentality

You have to work from the assumption that any data sent from a user's device is potentially hostile. A determined attacker won't be using your beautifully crafted app interface; they'll be using tools to send custom, malicious requests directly to your Firebase backend. Your security rules are your last and only line of defence on the server.

This means you need to validate everything. It’s not enough to check who is making the request; you have to check what they’re sending. Use the request.resource.data object in your rules to inspect incoming data before you even think about writing it to the database.

Validate Data Types: Is that score field actually a number, or is it a malicious string?
Check Data Ranges: A star rating should be between 1 and 5, not 5,000.
Enforce Immutability: Some fields, like a createdAt timestamp or a userId, should be written once and never changed. Lock them down.
Control Field Access: Stop users from giving themselves an isAdmin role or changing their own subscription tier.

By meticulously validating incoming data, you shut down entire classes of attacks and prevent your database from being filled with junk.

Structure Your Data for Secure Access

How you organise your data in Firestore or the Realtime Database has a huge impact on how easily you can secure it. A simple and incredibly effective pattern is to tie data directly to a user's unique ID (uid). This makes writing rules based on ownership almost effortless.

Key Takeaway: By using a user's uid as a document ID or as a key in your database path, you create a natural, enforceable link between a user and their data. This massively simplifies your security logic.

Imagine you're building a blog. Instead of a generic posts collection, structure it like this: /users/{userId}/posts/{postId}. This layout makes it trivial to write a rule allowing a user to access only the posts under their own userId path. It physically separates one user's data from another's, making it much harder to write an overly permissive rule by accident.

Use Custom Claims for Role-Based Access

As your app gets more complex, simple owner-only rules won't cut it. You'll soon need different levels of access for 'moderators', 'premium_members', or 'admins'. The best way to handle this is with Firebase Auth Custom Claims.

Custom claims are just key-value pairs that you attach to a user's authentication token. The catch is that you can only set them from a secure server environment, like a Cloud Function, which means the user can't tamper with them. These claims are then easy to read inside your security rules via the request.auth.token object.

For instance, you could set a claim like admin: true on your own account. Your security rules can then check for this claim to grant special privileges.

Firestore Rule with Custom Claims // Allow a document to be deleted by its owner OR an admin allow delete: if request.auth.uid == resource.data.ownerId || request.auth.token.admin == true; This is a clean, secure, and scalable way to manage role-based access control (RBAC). It keeps permission logic out of your database, where it could be tampered with, and puts it squarely in the user's secure token.

Getting to grips with the syntax for each database is the final piece of the puzzle. While the concepts are similar, the implementation differs. Here's a quick look at how you'd tackle the same tasks in Firestore versus the Realtime Database.

Firestore vs Realtime Database Security Rule Syntax

The table below shows a practical comparison of how you'd write rules for common scenarios in each database. Notice the differences in how they access user IDs, validate data, and check for roles.

As you can see, Firestore uses functions and objects like request, while the Realtime Database relies on a JSON-like structure with predefined variables like auth and newData. Realising these syntactical differences is key to implementing best practices correctly.

Putting these strategies into action will dramatically improve your Firebase database security posture. You’ll move from a reactive mode of patching leaks to a proactive one of building a secure application from the ground up.

Testing and Validating Your Security Rules

Three sketches illustrating a code simulator, a server rack emulator, and a robot scanner.

So, you’ve written your security rules. That’s a great first step, but it’s only half the battle. Just writing the rules doesn’t prove they actually work. The crucial next step—the one that separates a secure app from a vulnerable one—is verifying that they behave exactly as you expect. This is a non-negotiable part of maintaining strong Firebase database security.

Think of your new rules like a brand-new lock you've just fitted to your front door. It looks solid, but you wouldn't just walk away and assume it works. You'd jiggle the handle, try an old key, and maybe even see if you can pick it. You have to test it. The same goes for your rules; you need to actively try to bypass your own security to find the weak spots before an attacker does.

Thankfully, Firebase gives us a few different tools for the job, each suited for different stages of development.

Manual Checks with the Firebase Rules Simulator

Your first port of call for a quick sanity check is the Firebase Rules Simulator. You’ll find this right inside the Firebase console, and it’s a brilliant tool for spot-checking your logic without writing a single line of code. It's perfect for when you've just written a new rule or need to figure out why a request was unexpectedly denied.

The simulator lets you play out different scenarios to see how your rules hold up. You can step into the shoes of different users to test various perspectives:

An Unauthenticated Visitor: Simulate a request from someone who isn't logged in. Can they see public data? Are they blocked from private areas?
A Specific Logged-in User: Authenticate as a particular user by providing their UID. This confirms they can access their own data but not someone else's.
A Potential Attacker: Craft mischievous requests. What happens if you try to write a number where a string should be or attempt to modify a field that should be read-only?

The simulator gives you immediate feedback, telling you whether an operation is allowed or denied and, crucially, which specific line in your rules made that decision. It’s an essential tool for instant validation.

Automated Unit Testing with the Emulator Suite

While the simulator is great for quick manual tests, it just doesn’t scale. For truly comprehensive testing, you need automation. This is where the Firebase Local Emulator Suite is a game-changer. It lets you run a local version of Firebase services—including Firestore and the Realtime Database—directly on your own machine.

This local environment is the perfect sandbox for writing unit tests against your security rules. You can build a test suite that programmatically fires off hundreds of different operations in seconds, covering far more ground than you ever could by hand.

By integrating security rule tests into your development workflow, you build a safety net. It ensures a new code change doesn't accidentally poke a hole in your security, catching mistakes long before they ever get to production.

For instance, your automated tests could:

Create two mock users, "Alice" and "Bob".
Assert that Alice can create and read her own profile document.
Assert that Alice is correctly blocked when she tries to read Bob's profile.
Assert that an unauthenticated user can't read any profile documents at all.

This approach transforms security from a manual chore into a testable, repeatable, and automated part of your development process. To see this in action, our guide on advanced Firebase security rules offers more detailed examples.

Continuous Auditing with Automated Scanners

Manual checks and unit tests are vital, but they’re limited by your own imagination. They only check for the scenarios you think of. What about the subtle logic flaws or complex attack patterns you might not even know exist? This is the problem that automated security scanners are built to solve.

Tools like AuditYour.App act like a dedicated security expert that continuously reviews your project. These scanners connect to your Firebase project and use sophisticated analysis to probe your rules for common misconfigurations, overly permissive access, and tricky logical loopholes. They go beyond obvious mistakes to find vulnerabilities that even a seasoned developer might miss.

This gives you an objective, third-party assessment of your security posture. When you combine quick manual checks in the Simulator, thorough unit tests with the Emulator Suite, and continuous audits from a scanner, you create a layered defence. This multi-pronged validation strategy is how you ensure your Firebase database security is as robust as it possibly can be.

Integrating Security into Your CI/CD Pipeline

Getting your Firebase database security right isn't a one-off task you can tick off a list. It’s a continuous habit that needs to be part of your everyday development process. While checking your rules by hand is a decent starting point, the only way to truly stay on top of it is through automation.

When you embed security checks directly into your Continuous Integration/Continuous Deployment (CI/CD) pipeline, you create a powerful safety net. It makes security a default, non-negotiable step for every single code change, effectively stopping insecure rules from ever making it into your live application. Think of it as an automated security review that never gets tired and never misses a thing.

Automating Tests with GitHub Actions

One of the best ways to do this is by running your Emulator Suite tests automatically before any new code gets merged. With a tool like GitHub Actions, you can set up a workflow that kicks off every time a developer opens a pull request.

This workflow will automatically fire up the Firebase Emulator, run all of your security rule tests, and only give the green light to merge if every single test passes. If a developer accidentally writes a rule that opens up a hole, the tests fail, the pull request is blocked, and the problem is caught immediately—not after it's caused damage. This is a foundational practice for any modern, secure development workflow. You can dive deeper into building these systems in our guide to CI/CD pipeline security.

Implementing Active Monitoring and Alerts

Prevention is your first line of defence, but you also need a way to spot problems happening in real time. What happens if an unexpected interaction between your app's logic and your rules creates a vulnerability? Firebase gives you the tools to set up alerts for security rule violations and other suspicious behaviour.

By keeping an eye on rule denials, you can uncover some really valuable insights. For example, a sudden spike in 'permission-denied' errors hitting a specific path in your database could point to a bug, a misconfigured rule, or even an attacker methodically trying to find a weak spot.

You can use Cloud Monitoring to watch for these events and send instant alerts to your team through email or Slack. This means you can investigate and react to potential threats straight away, instead of finding out about a breach days or even weeks too late.

Leveraging Continuous Scanning Services

For the highest level of confidence, continuous scanning services are the final piece of the puzzle. Your CI/CD pipeline is fantastic for testing against the failure scenarios you've already thought of, but automated scanners look for everything else. They act like an automated red team, constantly checking your live project against a huge, ever-growing library of known vulnerabilities and attack patterns.

These services can audit your project on a schedule, alerting you the moment a new issue is found. This could be because your app has changed or because a new type of threat has been discovered. This combination of pre-deployment tests, real-time monitoring, and continuous external auditing creates a robust, multi-layered defence that keeps your Firebase database security strong as your project evolves.

Got Questions About Firebase Security?

We've all been there. When you're first getting to grips with Firebase, a few common questions always seem to pop up. Let's tackle some of the most frequent ones I hear from developers.

Will Security Rules Slow Down My App?

It’s a valid concern, but the answer is usually no—at least not directly. Firebase rules are incredibly optimised. Even a complex rule checking a single document runs in milliseconds, so you won't notice any lag from the rule execution itself.

The real performance trap is when your rules force you to make inefficient database queries. Imagine a rule that stops you from reading a list of 20 items at once. If you have to fetch each item individually with 20 separate calls to the database, your app will feel sluggish. The key is to design your data structure and rules to work in harmony from the start.

Is Firestore More Secure Than Realtime Database?

This is a classic question, but it frames the problem the wrong way. Neither database is inherently more secure than the other. The security of your app boils down to one thing: how well you write your rules.

That said, Firestore's rules language is widely seen as more powerful. It gives you more sophisticated tools for data validation and lets you use functions, making it easier to lock down complex apps with very specific permissions. The cascading, JSON-based rules in Realtime Database can sometimes feel a bit more restrictive in comparison.

What's the Right Way to Handle Admin Roles?

Whatever you do, don't store a user's role directly in their public database profile, like a field that says isAdmin: true. If you have even a slightly miswritten rule, a clever user could potentially give themselves admin privileges. I've seen it happen.

The most secure and scalable way to manage roles is with custom claims from Firebase Authentication.

You assign these claims from a trusted environment, like a Cloud Function, which makes them tamper-proof. The claim is then baked right into the user's auth token and is simple to check in your security rules. It looks something like this:

allow read, write: if request.auth.token.admin == true;

Feeling overwhelmed by security rules? AuditYour.App is a modern scanner that finds critical misconfigurations in your Firebase project before attackers do. Get an instant, actionable security audit and ship your app with confidence by visiting https://audityour.app.