Skip to content

Secure Firebase Database Permissions

Secure Firebase Database Permissions

Description

Firebase Realtime Database Rules determine who has read and written access to your database, how your data is structured, and what indexes exist.

Insecure Database permissions are a common issue, leading to unauthorized access to your database. Firebase provides tools to enforce Authentication, Authorization, and even Data Validation.

The following are common misconfiguration issues to avoid:

Read and write access to all users:

{
  "rules": {
    ".read": true,
    ".write": true
  }
}

Any logged-in user has read and write access to your entire database:

{
  "rules": {
      ".read": "auth !== null",
      ".write": "auth !== null"
   }
}

Realtime Database Rules cascade, with rules at more shallow, parent paths overriding rules at deeper child nodes. Remember to write a rule at a child node that it can only grant additional privileges. You can't refine or revoke access to data at a deeper path in your database.

{
  "rules": {
     "foo": {
        // allows read to /foo/*
        ".read": "data.child('baz').val() === true",
        "bar": {
          /* ignored, since read was allowed already */
          ".read": false
        }
     }
  }
}

Recommendation

This entry is secure and has no applicable recommendation.

Standards