Firebase Firestore Security Auditor

If your firestore.rules has if true, expired test-mode, or auth-only-no-ownership patterns, anyone with your project ID can read your users' data right now. This actor finds those leaks in 30 seconds and tells you exactly which rules to fix.

Recent census: I scanned 35 random Firebase projects from public GitHub repos. 23% are leaking user data anonymously to a plain curl from any IP. Your project ID is bundled in firebase-config.js — it's effectively public the moment you ship.

What it detects (7 patterns)

• 🚨 match /{document=**} { allow read, write: if true; } — the classic catch-all (CRITICAL)
• 🚨 Bare if true literals on any match block (CRITICAL)
• ⚠️ if request.auth != null without ownership check (HIGH) — lets ANY logged-in user read EVERY user's data
• ⚠️ Test-mode timestamp rules with timestamp.date(2099, 1, 1) or future date (HIGH) — wide open until 2099
• ⚠️ Catch-all read open + write closed (MEDIUM) — fine for product catalogs, fatal for /payments
• 📦 Storage rules with open read on user uploads (HIGH)
• 💡 Missing explicit default-deny rule (INFO)

Each finding ships with a paste-ready fix snippet you drop straight into firestore.rules.

How to run

You can run with EITHER one of these inputs:

1. projectId — sends an anonymous GET to your Firestore REST endpoint to confirm what's leaking live
2. rulesContent — paste the contents of your firestore.rules file for static analysis

Run with both for the complete picture. Both are optional — if you provide neither, the actor runs a DEMO against a known-bad rules fixture so you can see what the report looks like.

What you get

Two outputs land in the run's storage:

• REPORT in the Key-Value Store: a self-contained HTML page with letter grade (A+ to F), severity charts, per-finding fix snippets with copy buttons, and an "apply all fixes" bundle at the bottom. Open in any browser, forward to your team.
• Dataset rows: one structured row per finding for piping into your own pipeline.

Sample finding (from the demo run)

[CRITICAL] Wide-open catch-all rule
Target: match /{document=**}
★ CONFIRMED LEAK — anonymous Firestore REST returned 47 documents (12,453 bytes)
  Paths visible: users/abc123, users/def456, ...

Fix snippet (paste into firestore.rules):
match /{document=**} {
  allow read, write: if false;
}
match /users/{uid} {
  allow read: if request.auth != null && request.auth.uid == uid;
  allow write: if request.auth != null && request.auth.uid == uid;
}

Want a written report + Q&A support?

Free actor → you find leaks. $29 lite tier (top 3 fixes + written summary) or $99 full audit (every match block + 30-day Q&A + paste-ready bundle, 24h delivery). The CTA links inside the HTML report take you to Stripe.

Free in-browser scanner (no install, no actor): https://perufitlife.github.io/firebase-security-skill/scan.html

Source code

All MIT licensed:

• CLI: https://github.com/Perufitlife/firebase-security-skill
• MCP server (Claude Code, Cursor, Cline): https://github.com/Perufitlife/firebase-security-mcp

Sister auditors (same family)

If you also use other BaaS products:

• Supabase — https://apify.com/renzomacar/supabase-security-auditor
• PocketBase — https://apify.com/renzomacar/pocketbase-security-auditor
• Appwrite — https://apify.com/renzomacar/appwrite-security-auditor
• Hasura/Nhost — https://apify.com/renzomacar/nhost-security-auditor

All open source: https://github.com/Perufitlife