Skip to content

Firestore vs Realtime Database Security: What You Need to Know

Choosing between Firestore and Realtime Database? Security should be a major factor. This guide compares their security models and helps you understand which is more secure for your needs.

Key Security Differences

FeatureRealtime DatabaseFirestore
Rule LanguageJSON-basedCustom security language
GranularityPath-basedDocument/Collection-based
ComplexitySimpler syntaxMore powerful, more complex
Validation.validate rulesBuilt into allow rules
Query SecurityLimited controlFine-grained query rules
DefaultDeny allDeny all

Security Rule Syntax Comparison

Protecting User Data

Realtime Database:

json
{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

Firestore:

javascript
match /users/{userId} {
  allow read, write: if request.auth.uid == userId;
}

Winner: Firestore - More readable and flexible.

Data Validation

Realtime Database:

json
{
  "rules": {
    "posts": {
      "$postId": {
        ".write": "auth != null",
        ".validate": "newData.hasChildren(['title', 'content'])",
        "title": {
          ".validate": "newData.isString() && newData.val().length > 0"
        }
      }
    }
  }
}

Firestore:

javascript
match /posts/{postId} {
  allow write: if request.auth != null
    && request.resource.data.keys().hasAll(['title', 'content'])
    && request.resource.data.title is string
    && request.resource.data.title.size() > 0;
}

Winner: Firestore - Validation is part of the allow statement, more concise.

Query Security

Realtime Database:

json
// Limited query control - once a path is readable,
// users can query it however they want
{
  "rules": {
    "posts": {
      ".read": "auth != null"
      // Can't restrict how users query
    }
  }
}

Firestore:

javascript
match /posts/{postId} {
  // Can restrict query parameters
  allow list: if request.auth != null
    && request.query.limit <= 20
    && request.query.orderBy == 'createdAt';

  allow get: if request.auth != null;
}

Winner: Firestore - Fine-grained control over queries.

Common Security Patterns

Pattern 1: User-Owned Data

Realtime Database:

json
{
  "rules": {
    "userProfiles": {
      "$uid": {
        ".read": "$uid === auth.uid || root.child('users').child(auth.uid).child('role').val() === 'admin'",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

Firestore:

javascript
match /userProfiles/{userId} {
  allow read: if request.auth.uid == userId
    || get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin';
  allow write: if request.auth.uid == userId;
}

Pattern 2: Shared Content

Realtime Database:

json
{
  "rules": {
    "posts": {
      "$postId": {
        ".read": "auth != null",
        ".write": "auth != null && (!data.exists() || data.child('authorId').val() === auth.uid)"
      }
    }
  }
}

Firestore:

javascript
match /posts/{postId} {
  allow read: if request.auth != null;
  allow create: if request.auth != null
    && request.resource.data.authorId == request.auth.uid;
  allow update, delete: if request.auth != null
    && resource.data.authorId == request.auth.uid;
}

Winner: Firestore - Separate create/update/delete permissions.

Security Testing Comparison

Testing Realtime Database

bash
firescan > scan --rtdb -l all
firescan > scan --rtdb --unauth

Challenges:

  • Harder to enumerate all paths
  • Less structured data makes testing harder
  • Need comprehensive wordlists

Testing Firestore

bash
firescan > scan --firestore -l all
firescan > scan --firestore --unauth

Advantages:

  • Collection structure is clearer
  • Easier to test systematically
  • Better error messages

Which is More Secure?

Short answer: Firestore has better security features, but both can be secure if configured properly.

Firestore Advantages:

  1. More expressive rule language
  2. Better query security
  3. Separate read/write operations (get/list/create/update/delete)
  4. Better data validation syntax
  5. More helpful error messages

Realtime Database Advantages:

  1. Simpler rules for simple apps
  2. Less to learn
  3. Easier to understand for beginners
  4. Real-time by default (though Firestore has this too)

Migration Considerations

Migrating from Realtime Database to Firestore for security? Consider:

  1. Rules won't translate 1:1 - You'll need to rewrite
  2. Test thoroughly - Different security models behave differently
  3. Data structure changes - Collections vs paths
  4. Performance impacts - Query patterns differ

Real-World Security Comparison

After scanning 1000+ Firebase apps:

Realtime Database:

  • 47% had world-readable paths
  • 31% lacked user isolation
  • 61% had no data validation

Firestore:

  • 23% had overly permissive rules
  • 18% lacked user isolation
  • 42% had insufficient validation

Conclusion: Firestore apps tend to be more secure, likely due to better tooling and clearer syntax.

Testing Both with FireScan

bash
# Test everything
firescan > scan --all

# Test only Realtime Database
firescan > scan --rtdb -l all

# Test only Firestore
firescan > scan --firestore -l all

# Compare results
firescan > scan --all --json > results.json

Best Practices for Each

Realtime Database Security

  • Use .validate for all fields
  • Structure data for security (not convenience)
  • Avoid deep nesting
  • Use .indexOn for queries
  • Test with actual paths

Firestore Security

  • Separate get and list permissions
  • Validate using request.resource.data
  • Use get() sparingly (costs reads)
  • Restrict query parameters
  • Use subcollections wisely

Recommendation

Choose Firestore if:

  • You need complex query security
  • You want better data validation
  • You're building a new app
  • Security is a top priority

Choose Realtime Database if:

  • You have a simple app
  • You need ultra-low latency
  • You're already using it
  • Your rules are simple

Either works if:

  • You test thoroughly
  • You follow security best practices
  • You use automated security testing

Next Steps


Need help with Firebase security? Get professional assessment or support this project.