Skip to main content
Firebase Security Guide
Q&AFirebase

How do I secure Firestore properly?

Firestore security requires writing granular Security Rules that validate authentication, authorization, and data structure for every collection and document. Rules should check request.auth to verify the user is authenticated and validate that they only access their own data using resource.data fields. You should also validate data types and required fields in write rules using request.resource.data. Avoid using wildcards like match /{document=**} with broad allow rules, as this exposes your entire database. UNPWNED scans your Firestore configuration and identifies rules that are overly permissive or missing authentication checks.

Check your Firebase app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

Are Firebase Security Rules secure by default?What are the security best practices for Firebase?

More Firebase Security Questions

Are Firebase Security Rules secure by default?Is the Firebase API key a secret?How do Firebase Storage Security Rules work?Can Firebase apps be hacked?How secure is Firebase Authentication?How can I test Firebase Security Rules?