Get Started with Storage Security Rules

In typical apps, developers must build and maintain many servers that perform authentication, authorization, and data validation, as well as the developer's business logic. Apps using Cloud Storage for Firebase make use of Firebase Authentication and Firebase Security Rules for Cloud Storage to handle serverless authentication, authorization, and data validation.

Using Cloud Storage and Storage Security Rules means that you can focus on building a great user experience, without having to manage infrastructure or write complex server-side authentication and authorization code!

Overview

Storage Security Rules are used to determine who has read and write access to files stored in Cloud Storage, as well as how files are structured and what metadata they contain. The basic type of rule is the allow rule, which allows read and write operations if an optionally specified condition is met. Some examples of rules are:

// Rules can optionally specify a condition
allow write: if <condition>;

Rules match file paths representing Cloud Storage references. Rules may match one or more file paths, and more than one rule can match the file path in a given request:

// Rules match specific paths
match /images/profilePhoto.png {
  allow write: if <condition>;
}

match /images/croppedProfilePhoto.png {
  allow write: if <other_condition>;
}

The context of the rule evaluation is also exposed through the request and resource objects, which provide information such as the auth context (request.auth) and the existing object's size (resource.size).

// Rules can specify conditions that consider the request context
match /images/profilePhoto.png {
  allow write: if request.auth != null && request.resource.size < 5 * 1024 * 1024;
}

Learn more about Storage Security Rules in the Secure Files section.

Sample Rules

Storage Security Rules must first specify the service (in our case firebase.storage), and the Cloud Storage bucket (via match /b/{bucket}/o) which rules are evaluated against. The default rules require Firebase Authentication, but here are some examples of other common rules with different access control.

Default

// Only authenticated users can read or write to the bucket
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}

Public

// Anyone can read or write to the bucket, even non-users of your app.
// Because it is shared with Google App Engine, this will also make
// files uploaded via GAE public.
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write;
    }
  }
}

User

// Grants a user access to a node matching their user ID
service firebase.storage {
  match /b/{bucket}/o {
    // Files look like: "user/<UID>/path/to/file.txt"
    match /user/{userId}/{allPaths=**} {
      allow read, write: if request.auth.uid == userId;
    }
  }
}

Private

// Access to files through Firebase Storage is completely disallowed.
// Files may still be accessible through Google App Engine or GCS APIs.
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if false;
    }
  }
}

During development, you can use the public rules in place of the default rules to set your files publicly readable and writable. This is very useful for prototyping, as you can get started without setting up Firebase Authentication. However, because Cloud Storage shares a bucket with your default Google App Engine app, this rule also makes any data used by that app public as well.

User rules allow you to give each of your authenticated users their own personal file storage. You can also lock down your files entirely by using the private rules, but be aware that your users won't be able to read or write anything through Cloud Storage with these rules. Users accessing files from your Google App Engine app or the GCS APIs may still have access.

Before launch, make sure that you evaluate your rules to ensure they provide the maximum level of security your application needs.

Edit Rules

Cloud Storage provides an easy way to edit your Storage Security Rules via the Rules tab in the Firebase console Storage section. In the Rules tab, you can quickly and easily view and edit your current rules. These rules are deployed by clicking Publish, or by saving the file (ctrl/cmd + s). Rules are immediately uploaded to Cloud Storage servers, but may take up to five minutes to become live.

The Firebase CLI can be used to deploy rules as well. If you select Storage when running firebase init, a storage.rules file with a copy of the default rules will be created in your project directory. You can deploy these rules using the firebase deploy command. If you have multiple buckets in your project, you can use deploy targets to deploy rules to all of your buckets at once from the same project folder.

When you deploy rules via the Firebase CLI, the rules are updated in the Firebase console. However, if you deploy rules via the editor in the Firebase console's Rules tab, your local rules are not updated. Make sure to keep this in mind when multiple people might be editing the same rules.

Learn more about how file based security works in the Secure Files section, or understand user based security in the User Security section.

Send feedback about...

Need help? Visit our support page.