Security Checklist for Firebase Apps Built with AI

Firebase's ease of use makes it a favorite for AI-generated apps. But that same ease creates a dangerous pattern: AI tools get the app working with permissive security rules and never tighten them for production.

10-point security checklist

1. 1.

   Firestore security rules are not open

   critical

   Check your firestore.rules file. If you see allow read, write: if true or allow read, write: if request.time < timestamp, your entire database is publicly writable. Every collection must have rules that verify authentication and authorization for each operation.

2. 2.

   Storage rules restrict access

   high

   Firebase Storage rules default to allowing authenticated uploads of any type and size. Verify rules restrict: file types (e.g., only images), file size limits, path-based access (users can only access their own files), and read permissions.

3. 3.

   Admin SDK credentials are server-side only

   critical

   The Firebase Admin SDK service account key (a JSON file) must never be in client code or a public repository. This key has full read/write access to your entire Firebase project, bypassing all security rules.

4. 4.

   Auth email enumeration is prevented

   medium

   Firebase Auth's default behavior reveals whether an email is registered during login. This lets attackers enumerate valid accounts. Enable email enumeration protection in the Firebase console under Authentication settings.

5. 5.

   Cloud Functions validate input

   high

   Firebase Cloud Functions (callable or HTTPS) receive raw client input. AI-generated functions often skip validation. Every function should validate the request data structure and types before processing, and verify the calling user's authentication and permissions.

6. 6.

   Firebase config is for the correct project

   medium

   AI development often uses test Firebase projects. Verify your production deployment uses the production project's configuration. Mixing test and production environments can cause data leaks or loss.

7. 7.

   API keys are restricted in Google Cloud Console

   medium

   Firebase API keys are public by design but should be restricted by domain and API in the Google Cloud Console. Without restrictions, anyone can use your API key to make requests to Firebase services on your billing account.

8. 8.

   Custom claims are used for roles

   high

   AI tools often store user roles in Firestore documents and check them in client code. This is bypassable. Use Firebase Custom Claims for roles — they're included in the auth token and can be verified in security rules with request.auth.token.role.

9. 9.

   Firestore rules use request.auth

   high

   Every Firestore rule for authenticated resources should start with request.auth != null. AI-generated rules sometimes skip this check on read operations, assuming the frontend handles auth. Rules are the real security boundary, not the frontend.

10. 10.

    No wildcard Firestore indexes in production

    low

    Composite indexes should be created explicitly for your queries. Wildcard or overly broad indexes can expose data through query manipulation. Review your firestore.indexes.json and remove any unnecessary indexes.