Firebase open database check
Check if your Firebase database is open to the public
Firebase Realtime Database and Firestore start locked, but a common fix during development is to open the rules and forget to close them. Open rules let anyone read your data.
A sample of what you might see
An unauthenticated read of your database returned data, which means the security rules are open to the public.
{ "users": { "•••": { "email": "•••@•••.com" } } }Illustrative, redacted. We never store your data.
The scan checks, from the outside, whether your database responds to an unauthenticated read. It reads only and redacts any sample.
JavaScript and TypeScript apps today. The scan is passive and outside-in. How the scanner stays safe.
Questions
How do you check Firebase without credentials?
We make an unauthenticated read against your public database URL. If it returns data, the rules are open. We never write.
How do I fix open Firebase rules?
Tighten the security rules so reads and writes require the right authenticated user. We can make and prove that change in a reviewable pull request.
Which check do I need?
Check my live app
Scan a deployed URL for what it leaks to any visitor: exposed keys, open databases, reachable files.
Free instant scan →
Check my repo / CI hygiene
Review your GitHub Actions and repository config for security gaps in how you build and ship.
Repo & CI check →
Get it fixed
We verify the issues, fix them, and prove the fix in a reviewable pull request.
See packages →