Firebase

// FIREBASE SECURITY CHECKER

Are your Firebase security rules leaving the door open?

Firebase makes it trivial to store and sync data straight from the browser — which means your security rules are the only thing standing between a stranger and your entire database. AI builders love to start with allow read, write: if true just to get things working, and that line quietly ships to production. Veilguard checks your live Firebase-backed app, grades it A to F, and gives you the exact rules to lock it down.

Free — no signup · Your code stays yours · Results in ~60s

// WHAT WE CHECK

What Veilguard checks in your Firebase project

Critical

allow read, write: if true

The rule that makes your entire database public. It’s the default starting point and the number-one Firebase mistake — we flag it immediately.

Critical

Auth-only rules without ownership checks

Rules that only require a user to be signed in — not that the document is theirs — let any logged-in user read and edit everyone’s data.

Critical

Client-controlled userId

Rules that trust an ID sent from the browser, which an attacker can simply change to impersonate another user.

Warning

Exposed Firebase config & keys

Sensitive keys shipped in the client beyond the expected public config, giving attackers more than they should have.

Warning

Open Cloud Storage rules

Storage rules that let anyone read or upload files, exposing user content and inviting abuse.

Warning

Missing HTTPS & security headers

Baseline protections absent on your hosting, which attackers check for first.

// THE GAP

Why Firebase projects end up exposed

Because Firebase talks directly to the browser, a weak rule isn’t a small mistake — it’s a fully open database on the public internet. The permissive starter rules are meant to be temporary, but when an AI builds your app there’s no one to remember to tighten them. Veilguard reads your rules the way an attacker would and tells you, in plain English, exactly what to change.

// HOW IT WORKS

Scan. Understand. Fix.

01

Scan

Paste your app’s link. No install, no signup — just the URL you already share with customers.

02

Understand

A clear A–F grade and every issue in plain English: what it is, why it matters, and how bad it really is.

03

Fix

The exact fix for each issue — copy-paste code or a ready-made prompt for your AI. Then we keep watching.

// FAQ

Firebase security, answered.

Can Veilguard check my Firebase security rules?

Yes. We probe your live app for what an unauthenticated visitor can reach, and with a read-only connection we review your Firestore and Storage rules line by line.

What’s the worst Firebase rule to leave in?

allow read, write: if true — it makes your whole database public. Auth-only rules without an ownership check are a close second, since any signed-in user can then reach everyone’s data.

Do I get the corrected rules?

Yes. Each finding includes the exact rule to paste into your firebase.rules file, or a prompt you can give your AI tool to apply it for you.

Grade your Firebase app in 60 seconds.

Free — no signup · Your code stays yours · Results in ~60s