/firebase-tutorials

How to secure Realtime Database with rules?

Learn to secure your Firebase Realtime Database with our step-by-step guide on rules configuration, authentication, role-based access, data validation, and safe deployment.

Book a free  consultation
Matt Graham, CEO of Rapid Developers

Book a call with an Expert

Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.

Book a free No-Code consultation

How to secure Realtime Database with rules?

 

Step 1: Set Up Firebase Project

 

Begin by creating a Firebase project in the Firebase Console. Navigate to Firebase Console, click on "Add project", follow the setup process, and configure Google Analytics if necessary. Make sure to choose the Realtime Database in the setup options.

 

Step 2: Access Firestore Database

 

Once your project is set up, proceed to the project overview and locate the Realtime Database section in the left-hand menu. Click on it to start configuring your database.

 

Step 3: Start in Test Mode (Optional)

 

You may start in test mode if you're just experimenting. Choose "Start in test mode" during the initial Realtime Database setup. This allows anyone with the database link to read and write data. However, this is not secure for production.

 

Step 4: Change Database Rules

 

Navigate to the "Rules" tab under Realtime Database. Here, you'll find a JSON file that governs access control rules. A basic rule just for reading and writing data looks like:


{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

This rule allows access only to authenticated users, ensuring unauthorized users cannot read or write data.

 

Step 5: Implement Role-Based Access Control

 

Define rules for specific user roles by structuring the JSON rules. For instance, store user roles in the database and write rules accordingly. Example:


{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    },
    "adminContent": {
      ".read": "root.child('users/' + auth.uid + '/role').val() === 'admin'",
      ".write": "root.child('users/' + auth.uid + '/role').val() === 'admin'"
    }
  }
}

 

Step 6: Apply Data Validation

 

Ensure data integrity by adding validation rules. For example, if you're storing age, ensure it is a number:


{
  "rules": {
    ...
    "profiles": {
      "$uid": {
        ".validate": "newData.child('age').isNumber() && newData.child('age').val() > 0"
      }
    }
  }
}

 

Step 7: Test Your Rules

 

Firebase provides a simulator to test these rules. Click on the "Rules Playground" at the top-right of the Rules page, and simulate read/write requests to check if your rules work as expected.

 

Step 8: Deploy to Production with Caution

 

After testing, ensure your rule modifications won’t impact currently live applications. Export the rules as a .json file and deploy with caution. Use Firebase CLI for controlled deployments:


firebase deploy --only database

 

Secure your database with properly configured rules to prevent unauthorized access and maintain data integrity. Follow best practices by periodically reviewing and updating these rules.

Want to explore opportunities to work with us?

Connect with our team to unlock the full potential of no-code solutions with a no-commitment consultation!

Book a Free Consultation

Client trust and success are our top priorities

When it comes to serving you, we sweat the little things. That’s why our work makes a big impact.

Rapid Dev was an exceptional project management organization and the best development collaborators I've had the pleasure of working with. They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.

CPO, Praction - Arkady Sokolov

May 2, 2023

Working with Matt was comparable to having another co-founder on the team, but without the commitment or cost. He has a strategic mindset and willing to change the scope of the project in real time based on the needs of the client. A true strategic thought partner!

Co-Founder, Arc - Donald Muir

Dec 27, 2022

Rapid Dev are 10/10, excellent communicators - the best I've ever encountered in the tech dev space. They always go the extra mile, they genuinely care, they respond quickly, they're flexible, adaptable and their enthusiasm is amazing.

Co-CEO, Grantify - Mat Westergreen-Thorne

Oct 15, 2022

Rapid Dev is an excellent developer for no-code and low-code solutions.
We’ve had great success since launching the platform in November 2023. In a few months, we’ve gained over 1,000 new active users. We’ve also secured several dozen bookings on the platform and seen about 70% new user month-over-month growth since the launch.

Co-Founder, Church Real Estate Marketplace - Emmanuel Brown

May 1, 2024 

Matt’s dedication to executing our vision and his commitment to the project deadline were impressive. 
This was such a specific project, and Matt really delivered. We worked with a really fast turnaround, and he always delivered. The site was a perfect prop for us!

Production Manager, Media Production Company - Samantha Fekete

Sep 23, 2022