Get Started with Database Rules

The Firebase Realtime Database provides a flexible, expression-based rules language with JavaScript-like syntax to easily define how your data should be structured, how it should be indexed, and when your data can be read from and written to. Combined with our authentication services, you can define who has access to what data and protect your users' personal information from unauthorized access.

Configuring rules

You can find and change the rules for your database in the Firebase console. Simply choose your project, click on the Database section on the left, and then select the Rules tab. If you would like to test your security rules before putting them into production, you can simulate operations in the console using the Simulate button in the upper right of the rules editor.

You can also update your rules using our Command Line Interface, which allows you to update your rules programmatically, such as from an automated deployment system. The CLI also supports deploying rules to multiple, non-default databases via deploy targets.

Sample rules

By default, your database rules require Firebase Authentication and grant full read and write permissions only to authenticated users. The default rules ensure your database isn't accessible by just anyone before you get a chance to configure it. Once you're set up, you can customize your rules to your needs. Here are some common examples:

Default

The default rules disable read and write access to your database by users. With these rules, you can only access the database through the Firebase console.

// These rules don't allow anyone read or write access to your database
{
  "rules": {
    ".read": false,
    ".write": false
  }
}

Public

During development, you can use the public rules in place of the default rules to set your files publicly readable and writable. This can be useful for prototyping, as you can get started without setting up Authentication. This level of access means anyone can read or write to your database. You should configure more secure rules before launching your app.

// These rules give anyone, even people who are not users of your app,
// read and write access to your database
{
  "rules": {
    ".read": true,
    ".write": true
  }
}

User

Here's an example of a rule that gives each authenticated user a personal node at /users/$user_id where $user_id is the ID of the user obtained through Authentication. This is a common scenario for any apps that have data private to a user.

// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

It is essential that you configure these rules correctly before launching your app to ensure that your users can only access the data that they are supposed to.

Next steps

Learn more about securing your data using security rules.
Learn more about specifying indexes using rules.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

上次更新：一月 31, 2019。