<br />

Firebase Security Rules provide robust, completely customizable protection for your data inCloud Firestore,Realtime Database, andCloud Storage. You can easily get started withRulesfollowing the steps in this guide, securing your data and protecting your app from malicious users.

## Understand the Firebase Security Rules language

Before you start writing rules, it's worthwhile to take some time to review the specific Firebase Security Rules language for the Firebase products you're using.Realtime Databaseleverages a JavaScript-like syntax and JSON structure for itsRules.

Start by learning the[core syntax of the Firebase Security Rules language](https://firebase.google.com/docs/database/security/core-syntax).

## Set upAuthentication

If you haven't done it already, add[Firebase Authenticationto your app](https://firebase.google.com/docs/auth).Firebase Authenticationsupports many common authentication methods and integrates with Firebase Security Rules to provide comprehensive verification capabilities.

You can set up additional, custom authentication information for your app.

Learn more about[Firebase Security Rules andFirebase Authentication](https://firebase.google.com/docs/rules/rules-and-auth).

## Define your data and rules structures

### Define data for security

The way you structure your data might affect the way you structure and implement your rules. As you define your data structures, consider the implications they might have on yourRulesstructure.

For example, inRealtime Database, you might want to include a field that denotes a specific role for each user. Then, your rules can read that field and use it to grant role-based access.

As you define your data and rules architectures, keep in mind the way that rules cascade or don't cascade, depending on your product. WithRealtime Database, rules work from top-down, with shallower rules overriding deeper rules. If a rule grants read or write permissions at a particular path, then it also grants access to all child nodes under it. In contrast, withCloud FirestoreandCloud Storage, rules apply only at specified levels of the data hierarchy, and you write explicit rules to control access to different levels.

## Access your rules

To view your existingRules, use either theFirebaseCLI or theFirebaseconsole. Make sure you edit your rules using the same method, consistently, to avoid mistakenly overwriting updates. If you're not sure whether your locally defined rules reflect the most recent updates, the Firebase console always shows the most recently deployed version of your Firebase Security Rules.

To access your rules from the[Firebaseconsole](https://console.firebase.google.com/), select your project, then in the left-hand navigation panel, click**Realtime Database** . Click**Rules**once you're in the correct database or storage bucket.

To access your rules from theFirebaseCLI, go to the rules file noted in your[firebase.json file](https://firebase.google.com/docs/cli#the_firebasejson_file).

## Write basic rules

As you're developing your app and understandingRules, try implementingRulesto address a few[basic use cases](https://firebase.google.com/docs/rules/basics), including the following:

- **Content-owner only:**Restrict access to content by user.
- **Mixed access:**Restrict write access by user, but allow public read access.
- **Attribute-based access:**Restrict access to a group or type of user.

## Test your rules

If you're setting up your Firebase Security Rules in theFirebaseconsole, you can use the[Firebase Rules Playground](https://firebase.google.com/docs/rules/simulator)to quickly validate behavior. However, we recommend more thorough testing with the[Local Emulator Suite](https://firebase.google.com/docs/rules/emulator-setup)before you deploy your changes to production.

## Deploy rules

Use theFirebaseconsole or theFirebaseCLI to deploy your rules to production. Follow the steps outlined in[Manage and deploy Firebase Security Rules](https://firebase.google.com/docs/rules/manage-deploy).