// FIREBASE SECURITY CHECKER
Are your Firebase security rules leaving the door open?
Firebase makes it trivial to store and sync data straight from the browser — which means your security rules are the only thing standing between a stranger and your entire database. AI builders love to start with allow read, write: if true just to get things working, and that line quietly ships to production. Veilguard checks your live Firebase-backed app, grades it A to F, and gives you the exact rules to lock it down.
Free — no signup · Your code stays yours · Results in ~60s
// WHAT WE CHECK
What Veilguard checks in your Firebase project
allow read, write: if true
The rule that makes your entire database public. It’s the default starting point and the number-one Firebase mistake — we flag it immediately.
Auth-only rules without ownership checks
Rules that only require a user to be signed in — not that the document is theirs — let any logged-in user read and edit everyone’s data.
Client-controlled userId
Rules that trust an ID sent from the browser, which an attacker can simply change to impersonate another user.
Exposed Firebase config & keys
Sensitive keys shipped in the client beyond the expected public config, giving attackers more than they should have.
Open Cloud Storage rules
Storage rules that let anyone read or upload files, exposing user content and inviting abuse.
Missing HTTPS & security headers
Baseline protections absent on your hosting, which attackers check for first.
// THE GAP
Why Firebase projects end up exposed
Because Firebase talks directly to the browser, a weak rule isn’t a small mistake — it’s a fully open database on the public internet. The permissive starter rules are meant to be temporary, but when an AI builds your app there’s no one to remember to tighten them. Veilguard reads your rules the way an attacker would and tells you, in plain English, exactly what to change.
// HOW IT WORKS
Scan. Understand. Fix.
Scan
Paste your app’s link. No install, no signup — just the URL you already share with customers.
Understand
A clear A–F grade and every issue in plain English: what it is, why it matters, and how bad it really is.
Fix
The exact fix for each issue — copy-paste code or a ready-made prompt for your AI. Then we keep watching.
// FAQ
Firebase security, answered.
Can Veilguard check my Firebase security rules?
Yes. We probe your live app for what an unauthenticated visitor can reach, and with a read-only connection we review your Firestore and Storage rules line by line.
What’s the worst Firebase rule to leave in?
allow read, write: if true — it makes your whole database public. Auth-only rules without an ownership check are a close second, since any signed-in user can then reach everyone’s data.
Do I get the corrected rules?
Yes. Each finding includes the exact rule to paste into your firebase.rules file, or a prompt you can give your AI tool to apply it for you.
Scan another tool
Veilguard checks apps built with every major AI builder and backend.
Grade your Firebase app in 60 seconds.
Free — no signup · Your code stays yours · Results in ~60s