Skip to content

Firebase open database check

Check if your Firebase database is open to the public

Firebase Realtime Database and Firestore start locked, but a common fix during development is to open the rules and forget to close them. Open rules let anyone read your data.

A sample of what you might see

criticalOpen Firebase database

An unauthenticated read of your database returned data, which means the security rules are open to the public.

{ "users": { "•••": { "email": "•••@•••.com" } } }

Illustrative, redacted. We never store your data.

The scan checks, from the outside, whether your database responds to an unauthenticated read. It reads only and redacts any sample.

JavaScript and TypeScript apps today. The scan is passive and outside-in. How the scanner stays safe.

Questions

How do you check Firebase without credentials?

We make an unauthenticated read against your public database URL. If it returns data, the rules are open. We never write.

How do I fix open Firebase rules?

Tighten the security rules so reads and writes require the right authenticated user. We can make and prove that change in a reviewable pull request.

Which check do I need?

Related