Realtime Database Security Rules

Get a brief introduction to Firebase Security Rules and learn about Realtime Database Security Rules.

At this point in the course, we can perform read and write operations to some of the Firebase services we initialized, for example, the Realtime Database, Cloud Firestore, and Cloud Storage. This is because the current security rules on these services are set to permit open access to them. While this may not be a problem during development, it’s dangerous to have such rules on a deployed application since anyone who guesses or has access to our project ID can easily steal, modify, or delete our data.

Firebase Security Rules secure and control access to data in these Firebase products making sure that users in a Firebase project can only read and write data they’re allowed. These rules sit between the client application and the data. Therefore, they act as protection against malicious users and ensure that all reads and writes performed by the client SDK are allowed for the end user.

How it works

Firebase Security Rules provide an expression language that lets us choose how the end user is allowed to access data in Firebase products. They do so by matching a pattern against database or bucket paths and then applying custom conditions to either allow or deny access to these paths.

Firebase Security Rules’ expression language is of two varieties. The first variety is the Realtime Database Security Rules formatted using the JSON syntax. The other is Cloud Firestore and Cloud Storage Security Rules that follow the syntax of the Common Expression Language.

Write Realtime Database Security Rules

The Realtime Database uses a JSON-formatted rules syntax to determine who has access to read or write to the database. These rules live on Firebase servers and are enforced automatically on each request. Hence, only approved read or write requests will be allowed to complete.

To begin writing Realtime Database Security Rules, we must start with identifying a node in the database. Then, we can use wildcards to match possible child nodes to create a path. Next, we define rules for those paths using conditional statements:

Get hands-on with 1200+ tech skills courses.