Google's app development platform
Firebase provides auth, database, storage, and hosting. Its Firestore security rules are powerful but complex — misconfigured rules are the #1 source of data breaches in Firebase apps, especially when AI generates them.
Default or AI-generated rules often allow read/write to all users (allow read, write: if true).
Write granular security rules that check auth.uid and validate data structure for every collection.
Firebase config is public by design, but unrestricted API keys allow abuse (e.g., unlimited auth calls).
Restrict API keys in Google Cloud Console. Enable App Check to prevent unauthorized access.
Relying solely on client-side validation means attackers can bypass checks via direct API calls.
Use Cloud Functions for server-side validation on all write operations.
Storage buckets often have overly permissive rules allowing any authenticated user to read all files.
Restrict storage rules to user-specific paths (e.g., /users/{userId}/*).
HTTP-triggered Cloud Functions lack built-in rate limiting.
Implement rate limiting using Firebase App Check or a middleware layer.
Use the Firebase Emulator Suite to test security rules locally before deploying.
Never trust AI-generated Firestore rules — always test with the Rules Playground.
Enable Firebase App Check to prevent API abuse from unauthorized clients.