Skip to main content
backend

IS FIREBASE SAFE?

Firebase offers a fast path from prototype to production with Firestore, Authentication, Cloud Functions, and Storage. The biggest risk is overly permissive security rules that ship with test mode, allowing anyone on the internet to read and write your entire database.

72%
No CSP header
74%
No rate limiting
47%
No DMARC
447+
Sites analyzed
Scan your Firebase app free

TOP SECURITY RISKS

critical

Firestore Rules Set to Allow All Reads and Writes

The default test-mode rules (allow read, write: if true) grant full access to every document in your database. Any user can read sensitive data, overwrite records, or delete entire collections without authentication.

medium

Firebase API Key Misunderstanding

Firebase API keys are embedded in client-side code by design and are not secret. However, developers who mistake them for private credentials may neglect to restrict their usage via HTTP referrer restrictions and API key restrictions in the Google Cloud console.

high

Cloud Functions Without Authentication

HTTP-triggered Cloud Functions that do not verify Firebase Auth tokens or check user roles can be called by anyone. This allows attackers to trigger business logic, access data, or modify state without authorization.

high

Storage Rules Too Permissive

Firebase Storage rules that allow public uploads enable attackers to store malicious files, consume your storage quota, and potentially serve harmful content from your domain.

medium

Missing App Check

Without App Check enabled, your Firebase backend cannot distinguish between requests from your legitimate app and requests from scripts, bots, or cloned apps. This makes it easy to abuse your API quota and scrape data.

SECURITY CHECKLIST

Write strict Firestore security rules that validate authentication, ownership, and data schema for every collection
Understand that Firebase API keys are public identifiers and restrict them via Google Cloud console API key restrictions
Add Firebase Auth token verification to all HTTP-triggered Cloud Functions before processing requests
Configure Storage security rules to restrict uploads by file type, size, and user ownership
Enable App Check with reCAPTCHA or DeviceCheck to block unauthorized API access from non-app clients
Monitor Firebase usage dashboard for unexpected spikes that indicate abuse or data scraping
Review Authentication sign-in providers and disable any methods you do not actively use
UNPWNED checks all of the above automatically with 700+ security tests.

SCAN YOUR FIREBASE APP

700+ security checks. AI-powered fix prompts. Results in under 2 minutes. Free, no credit card required.

Run free security scan

FREQUENTLY ASKED QUESTIONS

Is it a security risk that my Firebase API key is visible in the source code?

No, Firebase API keys are designed to be public and identify your project to Google servers. They are not equivalent to secret API keys. Security comes from Firestore rules, Storage rules, and App Check, not from hiding the API key.

How do I know if my Firestore rules are insecure?

Check the Rules tab in the Firebase console. If you see allow read, write: if true or a timestamp-based expiry, your database is fully open. Use the Rules Playground to test whether unauthenticated requests can access your data.

What is Firebase App Check and do I need it?

App Check verifies that incoming requests originate from your genuine app rather than scripts or cloned apps. It is strongly recommended for production apps to prevent automated abuse, quota theft, and data scraping.

Can someone use my Firebase project if they find the config object?

They can attempt API calls, but access is controlled by your security rules. If your Firestore and Storage rules are properly configured, the config object alone does not grant access to any data. The risk is only real when rules are too permissive.

How do I secure Firebase Cloud Functions?

Verify the Firebase Auth ID token from the Authorization header at the start of every function. Check custom claims for role-based access, validate all input parameters, and set appropriate CORS policies to restrict which domains can call your functions.

Data based on 447+ website scans. Last updated: 2026-04-06. Statistics reflect aggregate findings across all scanned websites, not Firebase exclusively.

MORE PLATFORM GUIDES

LovableBolt.newCursorReplitv0.devWindsurfSupabaseVercel