Firebase Security Rules control the access that users of your web apps have to read and write your database. The real-time database rules help determine who can use how much data, the structure of your data and how indexes work. Once defined properly, these rules remain active on Firebase servers and are applied automatically all the time. Users’ request to read and write will be fulfilled only if your rules consider it fair and allowable.

Firebase rules recognize authenticated users and allow them full access to your database by default. This sensible approach keeps at bay undesirable access and protects your database from being abused. You can always customize your rules around authentication, though. However, it is not always easy to set up Firebase security rules to protect database. Let’s learn more about all the necessary tips to use Firebase rules for web apps.

Tips To Use Firebase Security Rules To Build Incredible Web Apps-ad banner

Introduction to Firebase security

Firebase real-time security is comprised of handy tools for web app developers to manage the overall security for the app. With Firebase authentication and validation tools running on server, it becomes easy to:

  • Authenticate users
  • Limit their access to database
  • Define permissions
  • Validate inputs/functions

The quintessential aspect of Firebase-powered apps is that it handles more client-side code unlike other available technology stack in the market. This ensures that your approach to secure your app is unique and deep with strong protective layers within.

The Central Components of Security Rules

There are three major components to Firebase Security rules:

  • User identification
  • Data Access Control
  • Input Validation (to create, read, update & delete Operations)

Once you know user’s identity through Firebase rules, you are allowed to automatically set restrictions for what action they can perform to the database (such as reading, updating or deleting).

The Firebase authentication process involves two options:

1. Firebase UI Auth: This option along with a few good code lines can help establish a complete sign-in system in your app for Web, iOS and Android. It will ask for user email, password, Google+, Facebook, GitHub, etc.

2. Firebase SDK Authentication: This one allows complete freedom to manage authentication based on your choice. You can also opt for Facebook and Google Sign in as Valid Identity providers.

The successful sign-in gives you access to user’s basic profile which is useful while controlling user’s access to stored data.

Firebase Database Rules

The security of Firebase is attributed to powerful JSON-formatted security language. Due to its great flexibility, you can easily access and define rules in Firebase Console using Database->Rules tab.

Firebase Security Rules structure contains syntax like JavaScript and is divided in four types:

.read: Defines when and if users are allowed to read data.

.write: Determines if and when users can write data.

.validate: It defines a value in a correct format and its child attributes and data type.

.indexOn: Specifies a child to index to support ordering and querying.

Firebase Authentication Process

Identifying your users is a basic and the first step when it comes to securing your app. As all users have unique story and profile, their data and capabilities vary from person to person. In chat apps, users are allowed to create messages and delete them if they wish. Deleting messages sent by other users is impossible, though.

Through firebase authentication, users can sign in to your app. It involves popularly used authentication practices with inherent support for Google, Twitter or Facebook along with email login, anonymous log-in, etc.


After identifying users, the next step is to limit and control their access to your database. Firebase authentication and Database Rules can be applied to perform data restrictions in several scenarios such as:

  • Strictly authenticated users can access(read) data
  • Authenticated users are allowed to only write to his own node
  • No one can create a new node except users

Built in variables and functions present in the Firebase security rules allow to refer to other paths, authentication information and server-side timestamps. Using similar format of rule that includes user ID obtained from Firebase authentication, you can also grant write access for authenticated users as well.

Data validation Phase

Owing to seamless nature of Firebase database rules, you can easily tweak and apply changes during development process. However, data should remain consistent once your app is finally ready. The validate rule of Firebase is to bring in validation logic with the same expression as used for .read and .write rules. However, validation rules do not cascade and have to be true for .write to come to effect.

Just like .read and .write rules, you can use the same built-in variables and functions to create Validation rules that know all data locations in your database.

Using Predefined Variables

Firebase has certain predefined variables you can find handy to define security rules that restrict, usher, read, write and validate. A few of them are:

auth: Functions as token payload of authenticated users

root : A node that represents the root path in the Firebase database before the attempted operation.

newData : Contains data that exists after the attempted operation

Data : Contains the data that existed before the attempted operation

now:The current time in milliseconds

$ variables:A wildcard path used to represent ids and dynamic child keys.

Defining database indexes

The Firebase Database security makes it possible to order and query data. Indexes are declared with .indexOn rule.

The data of small sizes do not require indexes during development because of ad hoc querying. However, before the app is launched, it is important to specify indexes for your queries so that it will still work when the app is scaled up.


This blog was our attempt to show how Firebase Database and security appears and works for mobile app and web developers while creating incredible web apps. Hope you will learn a few tips you may need for your next mobile or web app development project. You can always find more details about how to set up and define different security rules for user authentication, authorization and validation by reviewing Firebase Security Rules. If you are trying to build a highly secure, functional and user-friendly app, you can seek collaborative assistance from our company.