In the Security and Firebase Rules, strings can be examined / manipulated using the operations shown below.
These operations can only be used on strings (otherwise the rule will fail). So you may want to use isString() to ensure you are dealing with a string before using these operations.
Tutorials
Allow reading if auth.uid contains "admin".
".read": "auth.uid.contains('admin')"Require string to be at least 10 characters.
".validate": "newData.isString() && newData.val().length >= 10"Replaces all periods with commas in auth.email and checks for its existence under /users/.
".read": "root.child('users').child(auth.email.replace('.', ',')).exists()"Allow read access if auth.identifier ends with "@company.com"
".read": "auth.identifier.endsWith('@company.com')Require string to be a basic URL.
".validate": "newData.isString() && newData.val().matches(/^(ht|f)tp(s?):\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*((0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+&=%\$#_]*)?$/)"