<br />

Traditionally, security has been one of the most complex parts of app development. In most applications, developers must build and run a server that handles authentication (who a user is) and authorization (what a user can do). Authentication and authorization are hard to set up, harder to get right, and critical to the success of your product.

Similar to howFirebase Authenticationmakes it easy for you to authenticate your users,Firebase Security RulesforCloud Storagemakes it easy for you to authorize users and validate requests.Cloud StorageSecurity Rulesmanage the complexity for you by allowing you to specify path based permissions. In just a few lines of code, you can write authorization rules that restrictCloud Storagerequests to a certain user or limit the size of an upload.
| **Note:** If you useGoogleApp Engineand have a defaultCloud Storagebucket with a name format of`*.appspot.com`, you may need to consider[how your security rules impact access toApp Enginefiles](https://firebase.google.com/docs/storage/gcp-integration#security-rules-and-app-engine-files).

TheFirebase Realtime Databasehas a similar feature, called[Firebase Realtime DatabaseSecurity Rules](https://firebase.google.com/docs/database/security)

## Authentication

Knowing who your users are is an important part of building an application, andFirebase Authenticationprovides an easy to use, secure, client side only solution to authentication.Firebase Security RulesforCloud Storageties in toFirebase Authenticationfor user based security. When a user is authenticated withFirebase Authentication, the`request.auth`variable inCloud StorageSecurity Rulesbecomes an object that contains the user's unique ID (`request.auth.uid`) and all other user information in the token (`request.auth.token`). When the user is not authenticated,`request.auth`is`null`. This allows you to securely control data access on a per-user basis. You can learn more in the[Authentication](https://firebase.google.com/docs/storage/security/rules-conditions#authentication)section.

## Authorization

Identifying your user is only part of security. Once you know who they are, you need a way to control their access to files inCloud Storage.

Cloud Storagelets you specify per file and per path authorization rules that live on our servers and determine access to the files in your app. For example, the defaultCloud StorageSecurity RulesrequireFirebase Authenticationin order to perform any`read`or`write`operations on all files:  

```css+lasso
service firebase.storage {
  match /b/{bucket}/o {
    match /someFolder/{fileName} {
      allow read, write: if request.auth != null;
    }
  }
}
```

You can edit these rules by selecting a Firebase app in the[Firebaseconsole](https://console.firebase.google.com/)and viewing the`Rules`tab of the Storage section.

## Data Validation

Firebase Security RulesforCloud Storagecan also be used for data validation, including validating file name and path as well as file metadata properties such as`contentType`and`size`.  

```gdscript
service firebase.storage {
  match /b/{bucket}/o {
    match /images/{imageId} {
      // Only allow uploads of any image file that's less than 5MB
      allow write: if request.resource.size < 5 * 1024 * 1024
                   && request.resource.contentType.matches('image/.*');
    }
  }
}
```

## Next steps

- [Get started](https://firebase.google.com/docs/storage/security/get-started)planning rules development for yourCloud Storagebuckets.

- Learn more about[securing your data](https://firebase.google.com/docs/storage/security/core-syntax)using security rules.