<br />

WithCloud FirestoreSecurity Rules, you can focus on building a great user experience without having to manage infrastructure or write server-side authentication and authorization code.

Security rules provide access control and data validation in a simple yet expressive format. To build user-based and role-based access systems that keep your users' data safe, you need to use[Firebase Authentication](https://firebase.google.com/docs/auth/)withCloud FirestoreSecurity Rules.
| **Note:** The server client libraries bypass allCloud FirestoreSecurity Rulesand instead authenticate through[Google Application Default Credentials](https://cloud.google.com/docs/authentication/production). If you're using the server client libraries or the REST or RPC APIs, make sure to set up[Identity and Access Management (IAM) forCloud Firestore](https://cloud.google.com/firestore/docs/security/iam).

## Security rules version 2

As of May 2019, version 2 of theCloud Firestoresecurity rules is now available. Version 2 of the rules changes the behavior of[recursive wildcards](https://firebase.google.com/docs/firestore/security/rules-structure#recursive_wildcards)`{name=**}`. You must use version 2 if you plan to use[collection group queries](https://firebase.google.com/docs/firestore/query-data/queries#collection-group-query). You must opt-in to version 2 by making`rules_version = '2';`the first line in your security rules:  

    rules_version = '2';
    service cloud.firestore {
      match /databases/{database}/documents {

## Writing rules

You will write and manageCloud FirestoreSecurity Rulestailored to the data model you create for the default database and each additional database in your project.

AllCloud FirestoreSecurity Rulesconsist of`match`statements, which identify documents in your database, and`allow`expressions, which control access to those documents:  

    service cloud.firestore {
      match /databases/{database}/documents {
        match /<some_path>/ {
          allow read, write: if <some_condition>;
        }
      }
    }

Every database request from aCloud Firestoremobile/web client library is evaluated against your security rules before reading or writing any data. If the rules deny access to any of the specified document paths, the entire request fails.

Below are some examples of basic rule sets. While these rules are valid, they are not recommended for production applications:  

### Auth required

    // Allow read/write access on all documents to any user signed in to the application
    service cloud.firestore {
      match /databases/{database}/documents {
        match /{document=**} {
          allow read, write: if request.auth != null;
        }
      }
    }

### Deny all

    // Deny read/write access to all users under any conditions
    service cloud.firestore {
      match /databases/{database}/documents {
        match /{document=**} {
          allow read, write: if false;
        }
      }
    }

### Allow all

    // Allow read/write access to all users under any conditions
    // Warning: **NEVER** use this rule set in production; it allows
    // anyone to overwrite your entire database.
    service cloud.firestore {
      match /databases/{database}/documents {
        match /{document=**} {
          allow read, write: if true;
        }
      }
    }

The`{document=**}`path used in the examples above matches any document in the entire database. Continue on to the guide for[structuring security rules](https://firebase.google.com/docs/firestore/security/rules-structure)to learn how to match specific data paths and work with hierarchical data.

## Testing rules

Cloud Firestoreprovides a rules simulator that you can use to test your ruleset. You can access the simulator from the[**Rules**tab](https://console.firebase.google.com/project/_/firestore/rules)in theCloud Firestoresection of the Firebase console.

The rules simulator lets you simulate authenticated and unauthenticated reads, writes, and deletes. When you simulate an authenticated request, you can build and preview authentication tokens from various providers. Simulated requests run against the ruleset in your editor, not your currently deployed ruleset.

## Deploying rules

Before you can start usingCloud Firestorefrom your mobile app, you will need to deploy security rules. You can deploy rules in the Firebase console, using the Firebase CLI, or with theCloud Firestoremanagement REST API.

Updates toCloud FirestoreSecurity Rulescan take up to a minute to affect new queries and listeners. However, it can take up to 10 minutes to fully propagate the changes and affect any active listeners.
| **Note:** **When you[deploy security rules using theFirebaseCLI](https://firebase.google.com/docs/cli/#deployment), the rules defined in your project directory overwrite any existing rules in theFirebaseconsole.** So, if you choose to define or edit your security rules using theFirebaseconsole, make sure that you also update the rules defined in your project directory.

### Use the Firebase console

To set up and deploy your first set of rules, for the default database in your project, open the[**Rules**tab](https://console.firebase.google.com/project/_/firestore/rules)in theCloud Firestoresection of the Firebase console.

Write your rules in the online editor, then click**Publish**.
| **Note:** TheFirebaseconsole currently supports deployment ofCloud FirestoreSecurity Rulesto your project's default database. Future updates will allow you to deploy Rules to additional databases in your project. You can use the[Firebase CLI](https://firebase.google.com/docs/firestore/security/get-started#use_the_cli)to work with Rules in your multi-database projects.

### Use the Firebase CLI

You can also deploy rules using the[Firebase CLI](https://firebase.google.com/docs/cli). Using the CLI allows you to keep your rules under version control with your application code and deploy rules as part of your existing deployment process.  

    // Set up Firestore in your project directory, creates a .rules file
    firebase init firestore

    // Edit the generated .rules file to your desired security rules
    // ...

    // Deploy rules for all configured databases
    firebase deploy --only firestore

## Enhance security forCloud Storage

Your apps will benefit from the robust database features ofCloud Firestoreand the file storage and management features ofCloud Storage. Used together, these products also provide reinforcing app security, sinceCloud Firestorecan capture authorization requirements usable by Firebase Security Rules for both products. For more, see the[guide forCloud Storage](https://firebase.google.com/docs/storage/security/rules-conditions#enhance_with_firestore).

## Next steps

- Learn how to[structure security rules](https://firebase.google.com/docs/firestore/security/rules-structure).
- Write[custom security rules conditions](https://firebase.google.com/docs/firestore/security/rules-conditions).
- Read the[security rules reference](https://firebase.google.com/docs/reference/rules/rules).