Announcing Cloud Firestore (beta): Try the new, scalable, flexible database from Firebase and Google Cloud Platform. Learn more about Cloud Firestore.

Get Started with Database Rules

The Firebase Realtime Database provides a flexible, expression-based rules language with JavaScript-like syntax to easily define how your data should be structured, how it should be indexed, and when your data can be read from and written to. Combined with our authentication services, you can define who has access to what data and protect your users' personal information from unauthorized access.

Configuring rules

You can find and change the rules for your database in the Firebase console. Simply choose your project, click on the Database section on the left, and then select the Rules tab. If you would like to test your security rules before putting them into production, you can simulate operations in the console using the Simulate button in the upper right of the rules editor.

You can also update your rules using our Command Line Interface. This is especially useful if you want to update your rules programmatically, such as from an automated deployment system.

Sample rules

By default, your database rules require Firebase Authentication and grant full read and write permissions only to authenticated users. The default rules ensure your database isn't accessible by just anyone before you get a chance to configure it. Once you're set up, you can customize your rules to your needs. Here are some common examples:

Default

The default rules require Authentication. They allow full read and write access to authenticated users of your app. They are useful if you want data open to all users of your app but don't want it open to the world.

// These rules require authentication
{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

Public

During development, you can use the public rules in place of the default rules to set your files publicly readable and writable. This can be useful for prototyping, as you can get started without setting up Authentication. This level of access means anyone can read or write to your database. You should configure more secure rules before launching your app.

// These rules give anyone, even people who are not users of your app,
// read and write access to your database
{
  "rules": {
    ".read": true,
    ".write": true
  }
}

User

Here's an example of a rule that gives each authenticated user a personal node at /users/$user_id where $user_id is the ID of the user obtained through Authentication. This is a common scenario for any apps that have data private to a user.

// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

Private

Private rules disable read and write access to your database by users. With these rules, you can only access the database through the Firebase console.

// These rules don't allow anyone read or write access to your database
{
  "rules": {
    ".read": false,
    ".write": false
  }
}

It is essential that you configure these rules correctly before launching your app to ensure that your users can only access the data that they are supposed to.

Next steps

Send feedback about...

Firebase Realtime Database
Need help? Visit our support page.