Set Up Cloud Firestore Security Rules

With Cloud Firestore and Cloud Firestore Security Rules for the Android, iOS, and Web client libraries, you can focus on building a great user experience, without having to manage infrastructure or write server-side authentication and authorization code. Authenticate users through Firebase Authentication and set up rules to determine who has access to data stored in Cloud Firestore.

Set up and customize Cloud Firestore Security Rules in the Firebase console.

Set up Cloud Firestore Security Rules

You can create and deploy your first set of Cloud Firestore Security Rules by using either the Firebase console or the Firebase CLI.

Use the Firebase console

To set up and deploy your first set of rules, open the Rules tab in the Cloud Firestore section of the Firebase console.

Cloud Firestore populates a default rule, denying read and write access to everyone on all data:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

You can change the rule to allow access to everyone, or to a specific set of users while you're in development or prototyping. We recommend that you set up Firebase Authentication and evaluate your rules to ensure they provide the maximum level of security your application needs before launch.

Use the Firebase CLI

You can also deploy rules with the Firebase CLI. To get started, run firebase init firestore in your project directory. During setup, the Firebase CLI generates a default rules (.rules) file, with the rules described above. Edit your rules, then deploy them by running firebase deploy. If you only want to deploy the rules, add the --only firestore:rules flag.

If you use the Firebase CLI, be aware that any edits you make to rules in the Firebase console aren't reflected on your local machine. If you make edits in the Firebase console, make sure to update your local rules file.

Edit Cloud Firestore Security Rules

Before you customize your rules, let's take a look at how they work. Rules match paths representing a document or collection in Cloud Firestore. Rules may match one or more paths (for example, a rule may match all documents in a collection), and more than one rule can match the document name in a given request.

If there are multiple rules matching a given document, Cloud Firestore allows an operation to succeed if any of the matching rules allow it. For example, if a rule allows write access on a document for a user, but other rules only allow read access for that user, Cloud Firestore still allows the user to write to that document.

The basic type of rule is the allow rule, which allows read and write operations if an optionally specified condition is met.

Apply rules to multiple documents or collections with wildcards. Wildcards represent the document or collection ID in the match path as a string between curly brackets. Add =** to the end of your wildcard string to apply the wildcard to all documents and subcollections in the path. Learn more about using wildcards in rules.

service cloud.firestore {
  match /databases/{database}/documents {
    // Rules match specific paths, matching a particular document within a collection
    match /myCollection/myDocument {
      allow read, write: if <condition>;
    }

    // Rules can also specify a wildcard, matching any document within a collection
    match /myCollection/{anyDocument} {
      allow write: if <other_condition>;
    }
  
  }
}

The context of the rule evaluation is also exposed through the request and resource objects. The request object has information about the request, such as the authenticated user (request.auth) and the time the request was made (request.time). The resource object is a Cloud Firestore document.

service cloud.firestore {
  match /databases/{database}/documents {
    // Rules can specify conditions that consider the request context
    // Such as user authentication or time of the request
    match /myCollection/myDocument {
      allow read: if request.auth != null;
    }

    // Rules can also consider fields of the resource being read or written
    match /myCollection/myDocument {
      allow read: if resource.data.field == value;
    }

    // Rules can also consider the contents of other documents stored
    // This can be used to enforce schema and referential integrity
    match /myCollection/myDocument {
      allow read: get(/myCollection/otherDocument).data.field == value;
    }

  }
}

Consider the following example for a simple chat app. The first rule restricts access to a specific user for that user's specific data. The second rule allows access to all messages in a chat room for all users.

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth.uid == userId;
    }
    match /rooms/{roomId} {
      match /messages/{messageId} {
        allow read, write: if request.auth != null;
      }
    }
  }
}

Example rules

Here are some examples of other common rules with different access control.

Public

// Anyone can read or write to the database, even non-users of your app.
service cloud.firestore {
  match /databases/{database}/documents {
    // Match all documents, recursively, with a wildcard and the "=**" recursive modifier
    match /{document=**} {
      allow read, write;
    }
  }
}

User

// Grants a user access to a document matching their Auth user Id
service cloud.firestore {
  match /databases/{database}/documents {
    // Collection named "users", document named after the userId
    match /users/{userId} {
      allow read, write: if request.auth.uid == userId;
    }
  }
}

Private

// Access to documents through the Cloud Firestore mobile/web
// client libraries is completely disallowed. Documents may still be
// accessible through the Cloud Firestore server client libraries;
// the Cloud Firestore REST and RPC APIs; and the Cloud Datastore
// client libraries and APIs.
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

Next steps

Learn more about customizing rules to fit your needs.

Send feedback about...

Need help? Visit our support page.