This prompt can help your AI assistant (like the Gemini CLI) generate and refine Firebase Security Rules for your app. You can use the prompt to draft Security Rules for common use cases, such as granting user-specific access, implementing role-based permissions, and validating data.
This prompt focuses on generating Security Rules for:
- Cloud Firestore: Secure collections and documents based on your app's logic.
- Cloud Storage for Firebase: Validate access permissions for your stored files.
Using this prompt can help you get started with a strong security posture, but you should always test your Security Rules thoroughly before deploying to production. For more information about testing Security Rules, review Get started with Firebase Security Rules: Test your Security Rules.
Prerequisites
- Familiarize yourself with Firebase Security Rules best practices.
- To run unit tests for Firebase Security Rules and use the Firebase Local Emulator Suite, install Node.js and the Firebase CLI. For full instructions, refer to Install, configure, and integrate Firebase Local Emulator Suite.
- Recommended: If you haven't already, install Gemini CLI. The following instructions explain how to install and use a Gemini CLI extension to generate Security Rules. If you prefer to use another AI assistant, you can copy and paste the prompt from the extension's repository into your chosen AI assistant.
- This Gemini CLI extension uses the Firebase MCP server to validate the Firebase Security Rules it generates. The MCP server can also be used for easier testing and deployment of your Security Rules. Install the Firebase MCP server before using the extension to generate Firebase Security Rules.
Limitations
We are actively improving this experience, so this list of limitations may change. Check back often for updates.
The prompt is designed to generate Firebase Security Rules for Cloud Firestore and Cloud Storage for Firebase. It's not yet capable of generating Security Rules for Firebase Realtime Database.
Firebase Security Rules are not called when accessing your database or bucket from a server or other backend environment, such as when using the Firebase Admin SDK. If you're using the Admin SDK, you're responsible for managing authorization and data validation in your backend code.
Gemini in Firebase within the Firebase console is unable to generate Firebase Security Rules, even when using this prompt. Instead, use an alternate AI assistant that has access to your codebase, such as Gemini CLI (which is described on this page).
Use the prompt
This prompt is available from the
Gemini CLI extension for Firebase Security Rules
to generate your Security Rules and tests. This extension analyzes your source
code to help identify data schemas and access patterns for Cloud Firestore and
Cloud Storage. It's designed to draft Security Rules based on the principle of
least privilege and attempts to uncover vulnerabilities through iterative
"attack" simulations. To assist with final verification, it provides a starting
unit test suite using @firebase/rules-unit-testing, allowing you to verify
your security logic locally using the Firebase Local Emulator Suite.
Using this extension requires three steps which are described in this section:
Step 1: Generate Security Rules and tests
Install and run the extension:
Install the Gemini CLI extension:
gemini extensions install https://github.com/firebase/snippets-rulesStart Gemini CLI:
geminiFrom the root of your project, run the extension to generate Security Rules for either Cloud Firestore or Cloud Storage:
Generate Security Rules for Cloud Firestore:
/firebase-rules:firestore Generate Firebase Security Rules using PROJECT ID PROJECT_IDIn the parent directory, the extension creates a
firestore.rulesfile and a newrules_testdirectory that contains a Node.js project with unit tests for the generated Security Rules.Generate Security Rules for Cloud Storage for Firebase:
/firebase-rules:storage Generate Firebase Security Rules using PROJECT ID PROJECT_ID and BUCKET NAME BUCKET_NAMEIn the parent directory, the extension creates a
storage.rulesfile and a newstorage_rules_testdirectory that contains a Node.js project with unit tests for the generated Security Rules.
Step 2: Review Security Rules validation and test results
Make sure the following are done by your AI assistant. You should get a generated summary after the extension runs.
Syntax validation: After generating Security Rules, Gemini CLI automatically validates syntax using the
firebase_validate_security_rulescommand from the Firebase MCP server.Unit tests: After validating syntax, Gemini CLI attempts to run the generated unit tests using the Firebase Local Emulator Suite.
If tests don't run automatically, start the Firebase Local Emulator Suite in a separate terminal, then use one of the following options to run the tests:
Option 1: Instruct Gemini CLI to run tests:
Firebase Emulator Suite is running in a separate terminal. Please execute the tests.Option 2: Run tests manually by following the instructions in the
README.mdfile in therules_testorstorage_rules_testdirectory.
Step 3: Deploy Security Rules to your Firebase project
When you're satisfied with the result of your generated Security Rules, use the following Firebase CLI commands to deploy the Security Rules to your Firebase project:
Cloud Firestore
firebase deploy --only firestore:rulesCloud Storage for Firebase
firebase deploy --only storage
Additional resources
- For additional help with your security posture, you can also use the security extension for Gemini CLI, an open-source extension that analyzes code changes to identify security risks and vulnerabilities.