Understand Firebase Security Rules for Cloud Storage
Traditionally, security has been one of the most complex parts of appdevelopment. In most applications, developers must build and run a server thathandles authentication (who a user is) and authorization (what a user can do).Authentication and authorization are hard to set up, harder to get right, andcritical to the success of your product.
Similar to howFirebase Authentication makes it easy for you to authenticate yourusers,Firebase Security Rules forCloud Storage makes it easy for you to authorize usersand validate requests.Cloud Storage Security Rules manage the complexity for you byallowing you to specify path based permissions. In just a few lines of code, youcan write authorization rules that restrictCloud Storage requests to acertain user or limit the size of an upload.
Note: If you useGoogleApp Engine and have a defaultCloud Storage bucket with a nameformat of*.appspot.comTheFirebase Realtime Database has a similar feature, calledFirebase Realtime Database Security Rules
Authentication
Knowing who your users are is an important part of building an application, andFirebase Authentication provides an easy to use, secure, client side only solutionto authentication.Firebase Security Rules forCloud Storage ties in toFirebase Authenticationfor user based security. When a user is authenticated withFirebase Authentication,therequest.auth variable inCloud Storage Security Rules becomes an object thatcontains the user's unique ID (request.auth.uid) and all other userinformation in the token (request.auth.token). When the user is notauthenticated,request.auth isnull. This allows you to securely controldata access on a per-user basis. You can learn more in theAuthentication section.
Authorization
Identifying your user is only part of security. Once you know who they are, youneed a way to control their access to files inCloud Storage.
Cloud Storage lets you specify per file and per path authorizationrules that live on our servers and determine access to the files in your app.For example, the defaultCloud Storage Security Rules requireFirebase Authentication inorder to perform anyread orwrite operations on all files:
servicefirebase.storage{match/b/{bucket}/o{match/someFolder/{fileName}{allowread,write:ifrequest.auth!=null;}}}
You can edit these rules by selecting a Firebase app in theFirebase consoleand viewing theRules tab of the Storage section.
Data Validation
Firebase Security Rules forCloud Storage can also be used for data validation, includingvalidating file name and path as well as file metadata properties such ascontentType andsize.
servicefirebase.storage{match/b/{bucket}/o{match/images/{imageId}{//Onlyallowuploadsofanyimagefilethat's less than 5MBallowwrite:ifrequest.resource.size <5*1024*1024&&request.resource.contentType.matches('image/.*');}}}
Next steps
Get started planning rules developmentfor yourCloud Storage buckets.
Learn more aboutsecuring your datausing security rules.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-03 UTC.