Sarmad GardeziFirebase Firestore Database Rules List & Guide
The definitive guide to securing your NoSQL database. Learn how to write Firestore security rules for Admins and Users to protect your data.
Firebase Firestore Database Rules List & Guide
Intended Audience
Firebase Developers, Backend Engineers, and App Sec Specialists.
What We Cover
- No items to display
The 2026 Guide to Firestore Security Rules
Securing your NoSQL database is one of the most critical steps in Firebase development. Too often, developers leave their databases in "Test Mode" (open to the public) or apply rules that are too restrictive. Firestore Security Rules act as your backend logic, determining who can read or write data to your DB.
In this guide, we provide a copy-paste list of the most essential rules you will need for any production application, from basic authentication to complex admin role management.
Why Firestore Rules Matter
Security First: Unlike SQL databases hidden behind a server, Firestore is often accessed directly from the client. Security rules are the only barrier between a malicious user and your entire dataset.
- Granular Control: Define access at the document and field level.
- Data Validation: Ensure data being written matches your schema (e.g., specific string lengths or required fields).
- Authentication Integration: Seamlessly works with Firebase Auth to identify users.
Essential Firestore Security Rules (Admins & Users)
Below is a curated list of rules for common scenarios.
1. Default Locked Rule (Required)
The safest starting point. No one can read or write anything.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}2. Authenticated Users Access
Allow any signed-in user to access data. Useful for public read/private write scenarios or general user-only areas.
match /posts/{postId} {
// Only logged-in users can read/write
allow read, write: if request.auth != null;
}3. Owner-Only User Data
The most common rule. A user can only access their own profile or data.
match /users/{userId} {
// User ID must match the specific document ID
allow read, write: if request.auth != null &&
request.auth.uid == userId;
}4. Admin Role-Based Access
Secure sensitive data by checking a custom field (like role: 'admin') on the user's profile document.
Note: This requires a users collection where every document ID is the User UID, and has a field role.
function isAdmin() {
return request.auth != null &&
get(/databases/$(database)/documents/users/$(request.auth.uid))
.data.role == 'admin';
}
match /adminContent/{docId} {
allow read, write: if isAdmin();
}5. Public Read, Admin Write
Great for announcements, blog posts, or config settings that everyone needs to see but only admins can change.
match /announcements/{docId} {
allow read: if true;
allow write: if isAdmin();
}6. Data Validation Rule
Prevent bad data from entering your database.
match /comments/{commentId} {
// Comment must be a string and under 500 chars
allow create: if request.resource.data.text is string &&
request.resource.data.text.size() < 500;
}Conclusion
Mastering Firestore Rules is essential for building secure apps. Start with the default locked mode and open up access only as needed. Test your rules frequently in the Firebase Console Simulator before deploying to production.