How to Test Firebase Security Rules in 5 Minutes
Firebase security rules are the first line of defense for your Realtime Database and Firestore data. However, many developers deploy rules without proper testing, leading to data exposure and security vulnerabilities. This guide shows you how to quickly test your Firebase security rules before they cause problems.
Why test Firebase security rules?
Firebase security rules determine who can read and write data in your database. A single misconfiguration can expose sensitive user data to unauthorized access. Common mistakes include:
- World-readable databases (
.read: true) - Overly permissive authenticated user access
- Missing validation on write operations
- Incorrectly scoped permissions
Testing your security rules helps catch these issues before attackers do.
Method 1: Using FireScan (Automated)
The fastest way to test Firebase security rules is with automated scanning. FireScan automatically tests your rules with different authentication states and identifies misconfigurations.
Quick setup
# Install FireScan
go install github.com/JacobDavidAlcock/firescan/cmd/firescan@latest
# Launch and configure
firescan
firescan > set projectID your-project-id
firescan > set apiKey AIza...
# Create test account and scan
firescan > auth --create-account
firescan > scan --allFireScan will test:
- Unauthenticated access (what anonymous users can see)
- Authenticated access (what logged-in users can access)
- Path enumeration (discovering accessible data paths)
- Permission boundaries (verifying rule restrictions work)
Results show exactly which paths are accessible and at what severity level.
Method 2: Manual testing with Firebase Emulator
For local development, use the Firebase Emulator Suite:
# Install Firebase CLI
npm install -g firebase-tools
# Start emulator
firebase emulators:start
# Access Rules Playground
# Navigate to http://localhost:4000The Rules Playground lets you:
- Write and test rules interactively
- Simulate different authentication states
- See which rules match your queries
However, this only works for local testing and requires manual test case creation.
Method 3: Firebase Console Simulator
For quick one-off tests:
- Go to Firebase Console → Firestore/Realtime Database
- Click "Rules" tab
- Click "Rules Playground"
- Enter path and authentication details
- See if access is allowed or denied
This is useful for quick checks but doesn't scale for comprehensive testing.
What to test
Your Firebase security rule testing should cover:
1. Unauthenticated access
Test what anonymous users can access:
firescan > scan --unauthResult: Should show "Permission denied" for sensitive paths.
2. Authenticated user access
Test what logged-in users can access:
firescan > auth --create-account
firescan > scan --allResult: Users should only access their own data.
3. Path enumeration
Check if attackers can discover hidden paths:
firescan > scan --rtdb -l allResult: No sensitive collections should be enumerable.
4. Write permissions
Test if users can modify data they shouldn't:
firescan > scan --write --testResult: Writes should only succeed for authorized paths.
Common Firebase security rule vulnerabilities
World-readable databases
Vulnerable rule:
{
"rules": {
".read": true,
".write": "auth != null"
}
}Impact: Anyone can read all data.
Fix:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}Missing user isolation
Vulnerable rule:
match /users/{userId} {
allow read, write: if request.auth != null;
}Impact: Any authenticated user can read/write all user documents.
Fix:
match /users/{userId} {
allow read, write: if request.auth.uid == userId;
}No data validation
Vulnerable rule:
match /posts/{postId} {
allow write: if request.auth != null;
}Impact: Users can write arbitrary data.
Fix:
match /posts/{postId} {
allow write: if request.auth != null
&& request.resource.data.keys().hasAll(['title', 'content'])
&& request.resource.data.title is string
&& request.resource.data.title.size() > 0;
}Best practices for Firebase security
- Test before deploying - Always test rules in emulator or with FireScan before production
- Default deny - Start with all access denied, then explicitly allow
- Principle of least privilege - Grant minimum required permissions
- Validate data - Check types, sizes, and required fields
- Test all authentication states - Unauthenticated, authenticated, different user roles
- Regular audits - Re-test periodically as your app evolves
Automate testing in CI/CD
Add FireScan to your deployment pipeline:
# In your CI/CD script
firescan --config myapp.yaml --json > security-report.json
# Fail build if critical vulnerabilities found
if grep -q '"severity":"Critical"' security-report.json; then
echo "Critical vulnerabilities found!"
exit 1
fiThis catches security issues before they reach production.
Next steps
- Install FireScan to start automated testing
- View examples of common scanning workflows
- Learn about safety modes for production testing
- Read the full scan command reference
Testing Firebase security rules doesn't have to be complicated. With the right tools, you can verify your rules in minutes and deploy with confidence.
Found this helpful? Support FireScan development or get professional security assessment for your Firebase app.
