You're viewing the legacy docs. They are deprecated as of May 18, 2016.
Go to current docs

REST Guide

Understanding Security

Firebase provides a full set of tools for managing the security of your app. These tools make it easy to authenticate your users, enforce user permissions, and validate inputs.

Overview

Security is a really big topic, and it's very important. Traditionally, it has been one of the most difficult parts of app development. Firebase makes it a whole lot easier to secure your app. We take care of some parts entirely, like managing your users' passwords. Where we can't handle something completely, we simplify. For example, we provide a declarative language for securing your data.

This page describes how to build secure apps on Firebase. Firebase apps run more client-side code than those with many other technology stacks. Therefore, the way we approach security may be a bit different than you're used to.

Authentication

User identity is an important security concept. Different users have different data, and sometimes they have different capabilities. For example, in a chat program, each message is associated with the user that created it. Users may also be able to delete their own messages, but not messages posted by other users. The first step in securing your app is often identifying your users. This process is called authentication.

Firebase provides tools for making authentication easy:

  • Integrations with Facebook, GitHub, Google, and Twitter authentication providers
  • Email & password login, and account management
  • Single-session anonymous login
  • Custom login tokens, for integrating with your own authentication server or SSO

The next section of this guide, User Authentication, explains how to implement authentication.

Authorization

Identifying your user is only part of security. Once you know who they are, you need a way to control their access to data in your Firebase database.

Firebase has a declarative language for specifying rules that live on the Firebase servers and determine the security of your app. You can edit them by selecting a Firebase app in your Account Dashboard and viewing the Security & Rules tab.

These Security and Firebase Rules allow you to control access to each part of your database. Rules applied to a node in your database cascade to all of its children.

{
  "rules": {
    "foo": {
      ".read": true,
      ".write": false
    }
  }
}

This example allows anyone to read /foo/ and its children, but prevents anyone from writing to it.

The Security and Firebase Rules include a number of built-in variables and functions. You can use these variables and functions to build expressive rules. These variables and functions give your rules power and flexibility. They allow you to refer to other paths, server-side timestamps, and more.

The most important built-in variable is auth. This variable is populated after your user authenticates. It contains data about them and auth.uid, a unique, alphanumeric identifier that works across providers. The auth variable is the foundation of many rules.

{
  "rules": {
    "users": {
      "$user_id": {
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

This rule grants a user write access on /users/<auth.uid>/ to the user whose unique ID matches the dynamic path, $user_id.

Data Validation

Every Firebase application includes a schema-less database. This makes it easy to change things as you develop, but once your app is ready to distribute, it's important for data to stay consistent. The rules language includes a .validate rule. Use it to specify declarative validation rules just like .read and .write rules. The only difference is that validation rules do not cascade.

{
  "rules": {
    "foo": {
      ".validate": "newData.isString() && newData.val().length < 100"
    }
  }
}

This rule enforces that data written to /foo/ must be a string less than 100 characters

Validation rules have access to all of the same built-in functions and variables as .read and .write rules. You can use these to create validation rules that are aware of data elsewhere in your database, your user's identity, server time, and much more.

{
  "rules": {
    "user": {
      ".validate": "auth != null && newData.val() === auth.uid"
    }
  }
}

This rule enforces that only the currently logged in user's unique ID is written to /user/.

If a request violates a validation rule, it responds with an error.

Validation rules are not meant to completely replace data validation code in your app. You must still validate input for best performance, and to provide the best experience when your users are offline.

Learning More

At this point you should have a rough idea of how to build secure apps on Firebase.

The Security and Firebase Rules are a powerful and flexible way to control access in your app. This guide covered a small set of their broad capabilities. The security guide covers them in greater detail. The guide includes all of the built-in functions, variables, and features. It also includes examples to put them into context.

You can continue working through this guide without writing comprehensive rules for your app, but it's absolutely critical that you write them before launching your app. It's also a good idea to have a plan for security before getting too far along building your app. You may need to restructure your data slightly to accommodate effective rules.

  1. 1

    Next

    Installation & Setup

  2. 2

    Next

    Understanding Data

  3. 3

    Next

    Saving Data

  4. 4

    Next

    Retrieving Data

  5. 5

    Next

    Structuring Data

  6. 6

    Next

    Understanding Security

  7. 7

    Next

    User Authentication

  8. 8

    Next

    App Management