Skip to content

How to Test Firebase Security Rules in 5 Minutes

Firebase security rules are the first line of defense for your Realtime Database and Firestore data. However, many developers deploy rules without proper testing, leading to data exposure and security vulnerabilities. This guide shows you how to quickly test your Firebase security rules before they cause problems.

Why test Firebase security rules?

Firebase security rules determine who can read and write data in your database. A single misconfiguration can expose sensitive user data to unauthorized access. Common mistakes include:

  • World-readable databases (.read: true)
  • Overly permissive authenticated user access
  • Missing validation on write operations
  • Incorrectly scoped permissions

Testing your security rules helps catch these issues before attackers do.

Method 1: Using FireScan (Automated)

The fastest way to test Firebase security rules is with automated scanning. FireScan automatically tests your rules with different authentication states and identifies misconfigurations.

Quick setup

bash
# Install FireScan
go install github.com/JacobDavidAlcock/firescan/cmd/firescan@latest

# Launch and configure
firescan
firescan > set projectID your-project-id
firescan > set apiKey AIza...

# Create test account and scan
firescan > auth --create-account
firescan > scan --all

FireScan will test:

  • Unauthenticated access (what anonymous users can see)
  • Authenticated access (what logged-in users can access)
  • Path enumeration (discovering accessible data paths)
  • Permission boundaries (verifying rule restrictions work)

Results show exactly which paths are accessible and at what severity level.

Method 2: Manual testing with Firebase Emulator

For local development, use the Firebase Emulator Suite:

bash
# Install Firebase CLI
npm install -g firebase-tools

# Start emulator
firebase emulators:start

# Access Rules Playground
# Navigate to http://localhost:4000

The Rules Playground lets you:

  • Write and test rules interactively
  • Simulate different authentication states
  • See which rules match your queries

However, this only works for local testing and requires manual test case creation.

Method 3: Firebase Console Simulator

For quick one-off tests:

  1. Go to Firebase Console → Firestore/Realtime Database
  2. Click "Rules" tab
  3. Click "Rules Playground"
  4. Enter path and authentication details
  5. See if access is allowed or denied

This is useful for quick checks but doesn't scale for comprehensive testing.

What to test

Your Firebase security rule testing should cover:

1. Unauthenticated access

Test what anonymous users can access:

bash
firescan > scan --unauth

Result: Should show "Permission denied" for sensitive paths.

2. Authenticated user access

Test what logged-in users can access:

bash
firescan > auth --create-account
firescan > scan --all

Result: Users should only access their own data.

3. Path enumeration

Check if attackers can discover hidden paths:

bash
firescan > scan --rtdb -l all

Result: No sensitive collections should be enumerable.

4. Write permissions

Test if users can modify data they shouldn't:

bash
firescan > scan --write --test

Result: Writes should only succeed for authorized paths.

Common Firebase security rule vulnerabilities

World-readable databases

Vulnerable rule:

json
{
  "rules": {
    ".read": true,
    ".write": "auth != null"
  }
}

Impact: Anyone can read all data.

Fix:

json
{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

Missing user isolation

Vulnerable rule:

javascript
match /users/{userId} {
  allow read, write: if request.auth != null;
}

Impact: Any authenticated user can read/write all user documents.

Fix:

javascript
match /users/{userId} {
  allow read, write: if request.auth.uid == userId;
}

No data validation

Vulnerable rule:

javascript
match /posts/{postId} {
  allow write: if request.auth != null;
}

Impact: Users can write arbitrary data.

Fix:

javascript
match /posts/{postId} {
  allow write: if request.auth != null
    && request.resource.data.keys().hasAll(['title', 'content'])
    && request.resource.data.title is string
    && request.resource.data.title.size() > 0;
}

Best practices for Firebase security

  1. Test before deploying - Always test rules in emulator or with FireScan before production
  2. Default deny - Start with all access denied, then explicitly allow
  3. Principle of least privilege - Grant minimum required permissions
  4. Validate data - Check types, sizes, and required fields
  5. Test all authentication states - Unauthenticated, authenticated, different user roles
  6. Regular audits - Re-test periodically as your app evolves

Automate testing in CI/CD

Add FireScan to your deployment pipeline:

bash
# In your CI/CD script
firescan --config myapp.yaml --json > security-report.json

# Fail build if critical vulnerabilities found
if grep -q '"severity":"Critical"' security-report.json; then
  echo "Critical vulnerabilities found!"
  exit 1
fi

This catches security issues before they reach production.

Next steps

Testing Firebase security rules doesn't have to be complicated. With the right tools, you can verify your rules in minutes and deploy with confidence.


Found this helpful? Support FireScan development or get professional security assessment for your Firebase app.