shipshape

← Learn

Firebase security rules for a vibe-coded app

Firebase quickstarts ship in test mode — open to the world. Here is how to tell if your rules are still open, and how to lock Firestore, Storage and Realtime DB.

Firebase’s apiKey being public is normal and fine. The thing that actually protects your data is your Security Rules — and the default "test mode" rules are open to anyone for 30 days, which is exactly when a lot of vibe-coded apps ship.

The dangerous default

A rule like allow read, write: if true; (or test mode) means anyone on the internet can read and write your Firestore, Storage, or Realtime Database with nothing but the public config that’s already in your page.

What good rules look like

Require authentication and ownership. For Firestore:

Set Storage and Realtime Database to default-deny, then grant narrowly. Deploy with the Firebase CLI and re-check.

How to tell if yours are open

You can’t see your rules from the outside, but you can test whether data comes back to an unauthenticated request. Shipshape does this read-minimally after you verify ownership — asking Firestore/Storage/Realtime DB for a single record and reporting only whether it was readable, never dumping your data.

→ Check your Firebase app

FAQ

Is my Firebase apiKey being public a problem?
No. Google states the apiKey is safe in client code. Your Security Rules are what protect your data — open or test-mode rules are the real risk.

What do secure Firebase rules look like?
Rules that require both authentication and ownership, e.g. allow read, write: if request.auth != null && request.auth.uid == resource.data.userId. Default-deny, then grant narrowly.

How long does Firebase test mode stay open?
Test-mode rules typically allow open access for 30 days — long enough that many apps launch while still wide open.

Related questions

Check your own app
Free passive scan, ~10 seconds, no login.