You're viewing the legacy docs. They are deprecated as of May 18, 2016.
Go to current docs

Security & Rules


In the Security and Firebase Rules, strings can be examined / manipulated using the operations shown below.

String Operations

These operations can only be used on strings (otherwise the rule will fail). So you may want to use isString() to ensure you are dealing with a string before using these operations.


Allow reading if auth.uid contains "admin".

".read": "auth.uid.contains('admin')"

Require string to be at least 10 characters.

".validate": "newData.isString() && newData.val().length >= 10"

Replaces all periods with commas in and checks for its existence under /users/.

".read": "root.child('users').child('.', ',')).exists()"

Allow read access if auth.identifier ends with ""

".read": "auth.identifier.endsWith('')

Require string to be a basic URL.

".validate": "newData.isString() && newData.val().matches(/^(ht|f)tp(s?):\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*((0-9)*)*(\/?)([a-zA-Z0-9\‌​-‌​\.\?\,\'\/\\\+&=%\$#_]*)?$/)"