<br />

<br />

Firebase Security Rulesprovide robust, completely customizable protection for your data inCloud Firestore,Realtime Database, andCloud Storage. You can easily get started withRulesfollowing the steps in this guide, securing your data and protecting your app from malicious users.

## Understand theFirebase Security Ruleslanguage

Before you start writing rules, it's worthwhile to take some time to review the specificFirebase Security Ruleslanguage for the Firebase products you're using.Cloud Storageleverages a superset of the Common Expression Language (CEL) that relies on`match`and`allow`statements that set a condition for access at a defined path..

Start by learning the[core syntax of theFirebase Security Ruleslanguage](https://firebase.google.com/docs/storage/security/core-syntax).

## Set upAuthentication

If you haven't done it already, add[Firebase Authenticationto your app](https://firebase.google.com/docs/auth).Firebase Authenticationsupports many common authentication methods and integrates withFirebase Security Rulesto provide comprehensive verification capabilities.

You can set up additional, custom authentication information for your app.

Learn more about[Firebase Security RulesandFirebase Authentication](https://firebase.google.com/docs/rules/rules-and-auth).

## Define your data and rules structures

The way you structure your data might affect the way you structure and implement your rules. As you define your data structures, consider the implications they might have on yourRulesstructure.

For example, inCloud Storage, you might want to include a field that denotes a specific role for each user. Then, your rules can read that field and use it to grant role-based access. You can also create aCloud Firestoredatabase, store access criteria inCloud Firestoredocuments, then access those documents fromCloud StorageSecurity Rules.

As you define your data and rules architectures, keep in mind the way that rules cascade or don't cascade, depending on your product. WithRealtime Database, rules work from top-down, with shallower rules overriding deeper rules. If a rule grants read or write permissions at a particular path, then it also grants access to all child nodes under it. In contrast, withCloud FirestoreandCloud Storage, rules apply only at specified levels of the data hierarchy, and you write explicit rules to control access to different levels.

## Access your rules

To view your existingRules, use either theFirebaseCLI or theFirebaseconsole. Make sure you edit your rules using the same method, consistently, to avoid mistakenly overwriting updates. If you're not sure whether your locally defined rules reflect the most recent updates, the Firebase console always shows the most recently deployed version of yourFirebase Security Rules.

To access your rules from the[Firebaseconsole](https://console.firebase.google.com/), select your project, then in the left-hand navigation panel, click**Storage** . Click**Rules**once you're in the correct database or storage bucket.

To access your rules from theFirebaseCLI, go to the rules file noted in your[firebase.json file](https://firebase.google.com/docs/cli#the_firebasejson_file).

## Write basic rules

As you're developing your app and understandingRules, try implementingRulesto address a few[basic use cases](https://firebase.google.com/docs/rules/basics), including the following:

- **Content-owner only:**Restrict access to content by user.
- **Mixed access:**Restrict write access by user, but allow public read access.
- **Attribute-based access:**Restrict access to a group or type of user.

## Test your rules

If you're setting up yourFirebase Security Rulesin theFirebaseconsole, you can use the[Firebase Rules Playground](https://firebase.google.com/docs/rules/simulator)to quickly validate behavior. However, we recommend more thorough testing with the[Local Emulator Suite](https://firebase.google.com/docs/rules/emulator-setup)before you deploy your changes to production.

## Deploy rules

Use theFirebaseconsole or theFirebaseCLI to deploy your rules to production. Follow the steps outlined in[Manage and deployFirebase Security Rules](https://firebase.google.com/docs/rules/manage-deploy).