You're viewing the legacy docs. They are deprecated as of May 18, 2016.
Go to current docs

Security & Rules Guide

Understanding Security

Firebase provides a full set of tools for managing the security of your app. These tools make it easy to authenticate your users, enforce user permissions, and validate inputs.

Overview

Security is a really big topic, and it's very important. Traditionally, it has been one of the most difficult parts of app development. Firebase makes it a whole lot easier to secure your app. We take care of some parts entirely, like managing your users' passwords. Where we can't handle something completely, we simplify. For example, we provide a declarative language for securing your data.

This page describes how to build secure apps on Firebase. Firebase apps run more client-side code than those with many other technology stacks. Therefore, the way we approach security may be a bit different than you're used to.

Authentication

User identity is an important security concept. Different users have different data, and sometimes they have different capabilities. For example, in a chat program, each message is associated with the user that created it. Users may also be able to delete their own messages, but not messages posted by other users. The first step in securing your app is often identifying your users. This process is called authentication.

Firebase provides tools for making authentication easy:

  • Integrations with Facebook, GitHub, Google, and Twitter authentication providers
  • Email & password login, and account management
  • Single-session anonymous login
  • Custom login tokens, for integrating with your own authentication server or SSO

Implementing authentication varies between platforms. Please refer to the User Authentication section of the guide for your platform: Web, iOS, Android, REST.

Authorization

Identifying your user is only part of security. Once you know who they are, you need a way to control their access to data in your Firebase database.

Firebase has a declarative language for specifying rules that live on the Firebase servers and determine the security of your app. You can edit them by selecting a Firebase app in your Account Dashboard and viewing the Security & Rules tab.

These Security and Firebase Rules allow you to control access to each part of your database. Rules applied to a node in your database cascade to all of its children.

{
  "rules": {
    "foo": {
      ".read": true,
      ".write": false
    }
  }
}

This example allows anyone to read /foo/ and its children, but prevents anyone from writing to it.

The Security and Firebase Rules include a number of built-in variables and functions. You can use these variables and functions to build expressive rules. These variables and functions give your rules power and flexibility. They allow you to refer to other paths, server-side timestamps, and more.

The most important built-in variable is auth. This variable is populated after your user authenticates. It contains data about them and auth.uid, a unique, alphanumeric identifier that works across providers. The auth variable is the foundation of many rules.

{
  "rules": {
    "users": {
      "$user_id": {
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

This rule grants a user write access on /users/<auth.uid>/ to the user whose unique ID matches the dynamic path, $user_id.

Data Validation

Every Firebase application includes a schema-less database. This makes it easy to change things as you develop, but once your app is ready to distribute, it's important for data to stay consistent. The rules language includes a .validate rule. Use it to specify declarative validation rules just like .read and .write rules. The only difference is that validation rules do not cascade.

{
  "rules": {
    "foo": {
      ".validate": "newData.isString() && newData.val().length < 100"
    }
  }
}

This rule enforces that data written to /foo/ must be a string less than 100 characters

Validation rules have access to all of the same built-in functions and variables as .read and .write rules. You can use these to create validation rules that are aware of data elsewhere in your database, your user's identity, server time, and much more.

{
  "rules": {
    "user": {
      ".validate": "auth != null && newData.val() === auth.uid"
    }
  }
}

This rule enforces that only the currently logged in user's unique ID is written to /user/.

If a data validation rule is violated, our realtime clients roll back the change and notify your app through a callback. The synchronous REST API responds with an error.

Validation rules are not meant to completely replace data validation code in your app. You must still validate input for best performance, and to provide the best experience when your users are offline.