What are the security best practices for Firebase?

Always write specific security rules for every collection and never deploy test mode rules to production. Validate all data fields in write rules including type checking, required fields, and allowed values. Use Firebase App Check to prevent unauthorized clients from accessing your backend services. Implement proper user isolation by scoping all rules to request.auth.uid and restrict Cloud Functions to authenticated users where appropriate. Regularly audit your rules using the Firebase Emulator Suite and enable Google Cloud audit logging for your project. UNPWNED provides ongoing monitoring of your Firebase security configuration and alerts you to new vulnerabilities.