Firebase Security Rules
Declarative access control rules for Firebase Firestore, Realtime Database and Cloud Storage that are evaluated server-side for every read or write.
In detail
Firebase Security Rules are the primary data access layer for Firebase apps. Because the Firebase SDKs allow client-side code to read and write directly to the database, rules are the only thing preventing a malicious client from accessing data it should not. Rules are written in a domain-specific language and evaluated server-side for every request. A common misconfiguration is rules that allow read and write to all documents by any authenticated user (or, more dangerously, by anyone at all). Firebase's default rules in some SDK versions have historically allowed open access until explicitly locked down.
Why it matters for Australian business
Firebase is a popular backend choice for vibe-coded Australian apps, and misconfigured security rules are a direct path to full data exposure. Unlike Supabase Row Level Security, Firebase rules are not Postgres policies, but the risk is the same: a client-accessible database without server-enforced access control is a data breach waiting to happen. We audit Firebase rules on every engagement that involves a Firebase backend and rewrite them to the principle of least privilege.