Get started with Cloud Firestore Security Rules
WithCloud Firestore Security Rules, you can focus on building a great userexperience without having to manage infrastructure or write server-sideauthentication and authorization code.
Security rules provide access control and data validation in a simple yetexpressive format. To build user-based and role-based access systems that keep yourusers' data safe, you need to useFirebaseAuthentication withCloud Firestore Security Rules.
Note: The server client libraries bypass allCloud Firestore Security Rules and instead authenticate throughGoogle Application Default Credentials. If you're using the server client libraries or the REST or RPC APIs, make sure to set upIdentity and Access Management (IAM) forCloud Firestore.Security rules version 2
As of May 2019, version 2 of theCloud Firestore security rules is nowavailable. Version 2 of the rules changes the behavior ofrecursivewildcards{name=**}. You must use version 2 if you plan tousecollection group queries. You must opt-in toversion 2 by makingrules_version = '2'; the first line in your securityrules:
rules_version = '2';service cloud.firestore { match /databases/{database}/documents {Writing rules
You will write and manageCloud Firestore Security Rules tailored to the data model youcreate for the default database and each additional database in your project.
AllCloud Firestore Security Rules consist ofmatch statements, which identify documents inyour database, andallow expressions, which control access to those documents:
servicecloud.firestore{match/databases/{database}/documents{match/<some_path>/{allowread,write:if<some_condition>;}}}Every database request from aCloud Firestore mobile/web client library is evaluated againstyour security rules before reading or writing any data. If the rules deny accessto any of the specified document paths, the entire request fails.
Below are some examples of basic rule sets. While these rules are valid, theyare not recommended for production applications:
Auth required
// Allow read/write access on all documents to any user signed in to the applicationservicecloud.firestore{match/databases/{database}/documents{match/{document=**}{allowread,write:ifrequest.auth!=null;}}}Deny all
// Deny read/write access to all users under any conditionsservicecloud.firestore{match/databases/{database}/documents{match/{document=**}{allowread,write:iffalse;}}}Allow all
// Allow read/write access to all users under any conditions// Warning: **NEVER** use this rule set in production; it allows// anyone to overwrite your entire database.servicecloud.firestore{match/databases/{database}/documents{match/{document=**}{allowread,write:iftrue;}}}The{document=**} path used in the examples above matches any document in theentire database. Continue on to the guide forstructuring security rules tolearn how to match specific data paths and work with hierarchical data.
Testing rules
Cloud Firestore provides a rules simulator that you can use to test yourruleset. You can access the simulator from theRules tab intheCloud Firestore section of the Firebase console.
The rules simulator lets you simulate authenticated and unauthenticated reads,writes, and deletes. When you simulate an authenticated request, you can buildand preview authentication tokens from various providers. Simulated requests runagainst the ruleset in your editor, not your currently deployed ruleset.
Deploying rules
Before you can start usingCloud Firestore from your mobile app, you will needto deploy security rules. You can deploy rules in the Firebase console, usingthe Firebase CLI, or with theCloud Firestore management REST API.
Updates toCloud Firestore Security Rules can take up to a minute to affect new queries andlisteners. However, it can take up to 10 minutes to fully propagate the changesand affect any active listeners.
Note:When youdeploy security rules using theFirebase CLI,the rules defined in your project directory overwrite any existing rules in theFirebase console. So, if you choose to define or edit your security rulesusing theFirebase console, make sure that you also update the rules definedin your project directory.Use the Firebase console
To set up and deploy your first set of rules, for the default database in yourproject, open theRules tab in theCloud Firestoresection of the Firebase console.
Write your rules in the online editor, then clickPublish.
Note: TheFirebase console currently supports deployment ofCloud Firestore Security Rules to your project's default database. Future updateswill allow you to deploy Rules to additional databases in yourproject. You can use theFirebase CLI to work with Rules in your multi-database projects.Use the Firebase CLI
You can also deploy rules using theFirebaseCLI. Using the CLI allows you to keepyour rules under version control with your application code and deploy rules aspart of your existing deployment process.
// Set up Firestore in your project directory, creates a .rules filefirebaseinitfirestore// Edit the generated .rules file to your desired security rules// ...// Deploy rules for all configured databasesfirebasedeploy--onlyfirestoreEnhance security forCloud Storage
Your apps will benefit from the robust database features ofCloud Firestoreand the file storage and management features ofCloud Storage. Usedtogether, these products also provide reinforcing app security, sinceCloud Firestore can capture authorization requirements usable by Firebase Security Rulesfor both products. For more, see theguide forCloud Storage.
Next steps
- Learn how tostructure security rules.
- Writecustom security rules conditions.
- Read thesecurity rules reference.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.