Firebase security scanner

Firebase Security Audit
in 60 Seconds

AI tools frequently generate Firebase apps with open Firestore rules and public Storage buckets. SecuriSky detects these misconfigurations from the outside — no Firebase console access needed — and gives you AI fix prompts for Cursor.

Audit My Firebase App FreeSee all 27 checks →

No signup required for your first scan. No Firebase console access needed.

4 Firebase misconfigurations found in most AI-built apps

Open Firestore Rules

Default Firebase rules (`allow read, write: if true`) give public read/write access to your entire Firestore database. Any user — authenticated or not — can read, overwrite, or delete all documents.

Public Storage Buckets

Firebase Storage default rules often allow unauthenticated file downloads. SecuriSky probes your storage bucket path for public read access.

Firebase Config in JS Bundle

Firebase configuration (apiKey, projectId, authDomain) is necessarily client-side — but a weak project setup means these values give attackers direct API access with your project's quota.

No Authentication Enforcement

AI-generated Firebase apps frequently call Firestore from client code without checking auth state. SecuriSky validates your rules require authentication for sensitive collections.

How the Firebase audit works

1

Paste your deployed app URL

Enter your Firebase Hosting, Vercel, or custom domain URL. SecuriSky automatically detects Firebase usage.

2

Extracts Firebase config from bundle

SecuriSky locates your Firebase configuration (projectId, databaseURL, storageBucket) from your JavaScript bundle.

3

Probes Firestore and Storage directly

Makes unauthenticated API calls to your actual Firestore collections and Storage bucket. A 200 response = confirmed open access.

4

AI fix prompt for Firebase Security Rules

Get corrected security rules ready to paste into Cursor Agent or deploy directly via Firebase CLI.

What Firebase audits typically find

  • CRITICAL: GET /users — unauthenticated request returns 1,247 user documents
  • CRITICAL: Firestore rules contain `allow read, write: if true` — full public access
  • HIGH: Firebase Storage bucket allows public reads at gs://myapp.appspot.com/private/
  • HIGH: Firebase config exposed including storageBucket and authDomain
  • MEDIUM: No server-side token verification — client-side auth state only

Common questions

Are Firebase API keys supposed to be public?

The Firebase client API key is designed to be public — it identifies your project, not authenticates you. However, having an exposed API key combined with permissive Firestore rules is critical: an attacker uses your public key to target your open database. SecuriSky checks the combination, not just the key presence.

How does SecuriSky check Firestore rules without source code access?

SecuriSky extracts your Firebase projectId and databaseURL from your JavaScript bundle, then makes unauthenticated Firestore REST API requests to common collection paths (users, profiles, posts, orders, admin). A 200 response with JSON data confirms documents are readable without authentication.

My app uses Firebase Authentication — does that mean my rules are safe?

Not necessarily. Having Firebase Auth in your app doesn't automatically add security rules. Many AI-generated apps add Auth for user accounts but forget to update Firestore rules from the default `allow read, write: if true`. SecuriSky tests the rules independently of whether Auth is present.

What's the fix if my Firestore rules are open?

SecuriSky generates an AI fix prompt with corrected Firestore security rules that require `request.auth != null` for reads and writes, with collection-specific patterns for your detected data model. The prompt is ready to paste into Cursor Agent or Firebase Console.

Does this work for Firebase Realtime Database too?

SecuriSky primarily audits Firestore (Cloud Firestore). Realtime Database rule detection is in the roadmap. The scanner also checks Firebase Storage rules and your Firebase configuration exposure.

Check if your Firebase database is open right now.

Free scan. No signup. No Firebase console access needed. Results in 60 seconds.

Audit My Firebase App →

After your free scan, Pro is $19/mo. Cancel anytime.