// Firebase security

Is your Firebase database open to the world? check free.

Firebase starts new projects in test mode — rules that allow anyone to read and write your entire database. It's meant to last 30 days. Plenty of shipped apps never changed it.

Scan your Firebase app now — free, ~60 seconds, no signup.

Firebase's security lives in its Security Rules, not in your code. When you create a Firestore or Realtime Database, the default test-mode rules grant read and write access to anyone, no authentication required — convenient for prototyping, catastrophic in production.

Because the front-end firebaseConfig (including the API key) is public by design, the rules are the only thing standing between your data and the open internet. If they're still in test mode, there's nothing there at all.

World-readable

is the default state of a test-mode Firestore or RTDB

Firebase default rules

/.json

is all it takes to dump an open Realtime Database

RTDB REST endpoint

89%

of AI-built apps ship with at least one vulnerability

Industry analysis cited by vibeappscanner

What goes wrong on Firebase

Test-mode security rules

Rules like `allow read, write: if true;` mean anyone can read or overwrite your whole database. We probe your Firestore collections and Realtime Database for world-readable access.

Open Realtime Database

An open RTDB can be dumped in full by appending `/.json` to its URL. We check for this directly.

Rules that check auth but not ownership

`if request.auth != null` only checks that *someone* is logged in — not that they own the document. Any signed-up user can then read everyone else's data.

Exposed config without locked rules

The firebaseConfig in your front-end is fine on its own. Paired with permissive rules, it hands attackers a ready-made client to your backend.

Your Firebase security checklist

  • Security rules are out of test mode before launch
  • Rules check ownership (`request.auth.uid == resource.data.ownerId`), not just login
  • Realtime Database isn't readable at its `/.json` endpoint
  • Storage rules restrict uploads and downloads per user
  • App Check is enabled to block requests from outside your app
  • Default deny — rules start closed and open only what's needed

Firebase security FAQ

Is Firebase secure by default?

No. New databases start in test mode, which allows anyone to read and write. Firebase is secure only after you write Security Rules that enforce authentication and ownership.

Is it safe to expose the Firebase config / API key?

Yes — the firebaseConfig is public by design and identifies your project, not authenticates access. Your Security Rules and App Check are what actually protect your data.

How do I check my Firebase rules?

bleek's free scan probes your Firestore and Realtime Database the way an attacker would and tells you if they're world-readable, plus how to lock the rules down.

Find your Firebase app's leaks now.

Free scan, real findings, a copy-paste fix for each one. No signup.