The Firebase Realtime Database provides a flexible, expression-based rules language with JavaScript-like syntax to easily define how your data should be structured, how it should be indexed, and when your data can be read from and written to. Combined with our authentication services, you can define who has access to what data and protect your users' personal information from unauthorized access.
Configuring rules
You can find and change the rules for your database in the Firebase console. Simply choose your project, click on the Database section on the left, and then select the Rules tab. If you would like to test your security rules before putting them into production, you can simulate operations in the console using the Simulate button in the upper right of the rules editor.
You can also update your rules using our Command Line Interface, which allows you to update your rules programmatically, such as from an automated deployment system. The CLI also supports deploying rules to multiple, non-default databases via deploy targets.
Sample rules
By default, your database rules require Firebase Authentication and grant full read and write permissions only to authenticated users. The default rules ensure your database isn't accessible by just anyone before you get a chance to configure it. Once you're set up, you can customize your rules to your needs. Here are some common examples:
Default
The default rules disable read and write access to your database by users. With these rules, you can only access the database through the Firebase console.
// These rules don't allow anyone read or write access to your database
{
"rules": {
".read": false,
".write": false
}
}
Public
During development, you can use the public rules in place of the default rules to set your files publicly readable and writable. This can be useful for prototyping, as you can get started without setting up Authentication. This level of access means anyone can read or write to your database. You should configure more secure rules before launching your app.
// These rules give anyone, even people who are not users of your app,
// read and write access to your database
{
"rules": {
".read": true,
".write": true
}
}
User
Here's an example of a rule that gives each authenticated user a personal
node at /users/$user_id where $user_id is the ID of the user
obtained through Authentication. This is a common scenario for any
apps that have data private to a user.
// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
It is essential that you configure these rules correctly before launching your app to ensure that your users can only access the data that they are supposed to.
Next steps
- Learn more about securing your data using security rules.
- Learn more about specifying indexes using rules.