Test-mode security rules
Rules like `allow read, write: if true;` mean anyone can read or overwrite your whole database. We probe your Firestore collections and Realtime Database for world-readable access.
// Firebase security
Firebase starts new projects in test mode — rules that allow anyone to read and write your entire database. It's meant to last 30 days. Plenty of shipped apps never changed it.
Scan your Firebase app now — free, ~60 seconds, no signup.
Firebase's security lives in its Security Rules, not in your code. When you create a Firestore or Realtime Database, the default test-mode rules grant read and write access to anyone, no authentication required — convenient for prototyping, catastrophic in production.
Because the front-end firebaseConfig (including the API key) is public by design, the rules are the only thing standing between your data and the open internet. If they're still in test mode, there's nothing there at all.
World-readable
is the default state of a test-mode Firestore or RTDB
Firebase default rules
/.json
is all it takes to dump an open Realtime Database
RTDB REST endpoint
89%
of AI-built apps ship with at least one vulnerability
Industry analysis cited by vibeappscanner
Rules like `allow read, write: if true;` mean anyone can read or overwrite your whole database. We probe your Firestore collections and Realtime Database for world-readable access.
An open RTDB can be dumped in full by appending `/.json` to its URL. We check for this directly.
`if request.auth != null` only checks that *someone* is logged in — not that they own the document. Any signed-up user can then read everyone else's data.
The firebaseConfig in your front-end is fine on its own. Paired with permissive rules, it hands attackers a ready-made client to your backend.
No. New databases start in test mode, which allows anyone to read and write. Firebase is secure only after you write Security Rules that enforce authentication and ownership.
Yes — the firebaseConfig is public by design and identifies your project, not authenticates access. Your Security Rules and App Check are what actually protect your data.
bleek's free scan probes your Firestore and Realtime Database the way an attacker would and tells you if they're world-readable, plus how to lock the rules down.
Free scan, real findings, a copy-paste fix for each one. No signup.