Firebase Security
Your Firebase web config is public by design — that is not the leak. The real risks are permissive Security Rules and open storage buckets. Here’s how to tell yours apart and lock them down.
6 articles
Firebase Security for AI-Built Apps: The Complete Guide
Firebase security rules in plain English for vibe-coded apps. Your API key is public by design — learn what's actually secret and how to secure Firebase.
Firebase Security Rules: 12 Mistakes AI Tools Make
The 12 Firebase Security Rules mistakes AI builders ship — from allow read, write: if true to leftover test-mode rules — each with a quick before/after fix.
Firebase vs Supabase: A Security Comparison
Firebase vs Supabase security, compared evenly. Both ship a public client key — the real risk is the rules layer. See how each protects you and how each leaks.
Open Storage Buckets: The #1 Firebase Leak
Firebase Storage security is where the worst leaks happen. Learn how open buckets exposed 72,000 IDs, how to write owner-scoped rules, and how to check yours.
The Tea App Breach: How a Firebase Bucket Exposed 72,000 IDs
The Tea app breach explained: an unsecured Firebase Storage bucket exposed ~72,000 images, including ID photos. The root cause and how to check your buckets.
Your Firebase Web Config Is Public by Design — Here's What to Actually Secure
Is your Firebase API key safe to expose? Yes — the web config is public by design. Here's what it does, why rotating it is pointless, and what to actually lock down.