This page describes the most important best practices for security acrossenvironments, but review theSecurity checklist for more detailed andthorough guidance about security and Firebase.

Security for pre-production environments

One benefit of separating environments in different Firebase projects is that amalicious actor who is able to access your pre-prod environments won't be ableaccess real user data. Here are the most important security precautions to takefor pre-production environments:

• Limit access to pre-prod environments. For mobile apps, useApp Distribution (or something similar) to distributean app to a specific set of people. Web applications are harder to restrict;consider setting up ablocking function for the pre-prod environments that restricts access to users with emailaddresses that are specific to your domain. Or, if you're usingFirebase Hosting, set up your pre-prod workflows to usetemporary preview URLs.

• When an environment doesn't need to be persisted and is only being used by oneperson (or in the case of tests, by one machine) use theFirebase Local Emulator Suite. These emulators are saferand faster because they can work entirely on localhost instead of using cloudresources.

• Make sure that you haveFirebase Security Rules set up in pre-productionenvironments, just as you do in prod. In general, theSecurity Rules shouldbe the same across environments, with the caveat that since rules change withcode, there may be rules earlier in the pipeline that don't yet exist inproduction.

Security for production environments

Production data is always a target, even if the app is obscure. Following theseguidelines doesn't make it impossible for a malicious actor to get your data,but it makes it more difficult:

• Enable and enforceApp Check for all the productsyou're using that support it.App Check makes sure that requests to yourbackend services are coming from your genuine apps. In order to use it, youneed to register each version of your app withApp Check. It's easier toset up before you have users, so set it up as soon as possible.

• Write robustFirebase Security Rules.Realtime Database,Cloud Firestore, andCloud Storage all rely on developer-configuredSecurity Rules toenforce who should and shouldn't be able to access data. It's essential toyour security that you write goodSecurity Rules. If you're not sure how,start with thiscodelab.

• Review theSecurity checklist for morerecommendations about security for production environments.

Next steps

• Review theFirebase launch checklist.