AI Prompt: Write Firebase Security Rules

This prompt can help your AI assistant, such as Gemini CLI, generate and refine Firebase Security Rules for your app. You can use the prompt to draft Rules for common use cases, such as granting user-specific access, implementing role-based permissions, and validating data.

This prompt focuses on generating Rules for:

Cloud Firestore: Secure collections and documents based on your app's logic.
Cloud Storage for Firebase: Validate access permissions for your stored files.

Using this prompt can help you get started with a strong security posture, but you should always test your Rules thoroughly before deploying to production. For more information about testing Rules, review Get started with Firebase Security Rules: Test your rules.

Important:

Your Firebase Security Rules are not automatically updated. The Gemini CLI extension described in this guide runs one time to create your Rules based on your project's current state. It does not continuously monitor your app or file system. It won't automatically update your rules file as you develop new features.

You must manually update your Rules every time you:

Add a new database collection or path
Change your data's structure or schema
Change your file storage structure

To update your Rules, you must either re-run the prompt to rebuild your Rules or edit them manually.

If you add new features without updating your Rules, you risk creating:

Security gaps: Your new data may be left unsecured and publicly readable/writable.
Broken Features: Your app may be blocked from accessing the new data, causing it to fail.

Prerequisites

Familiarize yourself with Security Rules best practices.
To run unit tests for Firebase Security Rules and use the Firebase Local Emulator Suite, install Node.js and the Firebase CLI. For full instructions, refer to Install, configure and integrate Local Emulator Suite.
Recommended: If you haven't already, install Gemini CLI. The following instructions explain how to install and use a Gemini CLI extension to generate Rules; if you prefer to use another AI assistant, you can copy and paste the prompt from the repository into your chosen AI assistant.
This Gemini CLI extension uses the Firebase MCP server to validate the Firebase Security Rules it generates. The MCP server can also be used for easier testing and deployment of your Rules. Install the Firebase MCP server before using the extension to generate Firebase Security Rules.

Limitations

We are actively improving this experience, so this list of limitations may change. Check back often for updates.

Gemini in Firebase is unable to generate Firebase Security Rules. Use an alternate AI assistant, such as Gemini CLI.
The prompt is designed to generate Firebase Security Rules for Cloud Firestore and Cloud Storage for Firebase. It's not yet capable of generating Rules for Firebase Realtime Database.
Firebase Security Rules are not called when accessing your database or bucket from a server or other backend environment, such as when using the Firebase Admin SDK. If you're using the Admin SDK, you're responsible for managing authorization and data validation in your backend code.

Use the prompt

Use the experimental Gemini CLI extension for Firebase Security Rules to generate your rules and tests.

This extension analyzes your source code to help identify data schemas and access patterns for Cloud Firestore and Cloud Storage. It is designed to draft Rules based on the principle of least privilege and attempts to uncover vulnerabilities through iterative "attack" simulations. To assist with final verification, it provides a starting unit test suite using @firebase/rules-unit-testing, allowing you to verify your security logic locally using the Firebase Local Emulator Suite.

Note: This extension is in preview. We welcome feedback and contributions! If you have suggestions or improvements, submit an issue or pull request in the GitHub repository.

To install and use the extension:
1. Install the Gemini CLI extension:
```
gemini extensions install https://github.com/firebase/snippets-rules
```
2. Open Gemini CLI.
```
gemini
```
Note: Before generating rules, make sure that you're connected to the Firebase MCP server.
1. From the root of your project, run the extension to generate rules for Cloud Firestore:
```
/firebase-rules:firestore Generate rules using PROJECT ID PROJECT_ID
```
  Or generate rules for Cloud Storage:
```
/firebase-rules:storage Generate rules using PROJECT ID PROJECT_ID and BUCKET NAME BUCKET_NAME
```
The extension creates a rules_test directory for Cloud Firestore or a storage_rules_test directory for Cloud Storage in your project root. This new directory contains the generated .rules file along with a Node.js project with unit tests.

Note: If you'd rather use a different AI assistant, or if you want to review the full prompt behind this extension, you can view the prompts in the repository.
Review rules validation and test results:
- Syntax validation - After generating rules, Gemini CLI automatically validates syntax using the firebase_validate_security_rules command from the Firebase MCP server.
- Unit tests - After validating syntax, Gemini CLI attempts to run the generated unit tests using the Firebase Local Emulator Suite. For the tests to run, you need to run the Firebase Local Emulator Suite in a separate terminal.
If tests don't run automatically, start the Firebase Local Emulator Suite in a separate terminal, then use one of the following options to run the tests:
```
*   Instruct Gemini CLI to run tests:
    ```none
    Firebase Emulator Suite is running in a separate terminal. Please
    execute the tests.
    ```
*   Run tests manually by following the instructions in the `README.md`
    file in the `rules_test` or `storage_rules_test` directory.
```
When you're satisfied with the result of your generated Rules, use the following Firebase CLI command to deploy the Rules.

Cloud Firestore
```
firebase deploy --only firestore:rules
```
Cloud Storage
```
firebase deploy --only storage
```

Additional resources

For additional help with your security posture, you can also use the security extension for Gemini CLI, an open-source extension that analyzes code changes to identify security risks and vulnerabilities.