Common Mistakes in Firebase Security Rules

This was a different way of thinking about security rules for us. But basically you have to make everything not readable and not writable at the root and then open up access farther down. And the way you need to structure your data will be affected. You might have a &quot;user&quot; level in the tree but you make a child level &quot;private&quot; readable by the actual user and no one else, like &#x2F;users&#x2F;$userId&#x2F;private. Then you might have a &#x2F;users&#x2F;$userId&#x2F;public that anyone can read, etc.<p>We also don&#x27;t allow any writing directly to the data nodes but rather have a separate level in the tree where &quot;requests&quot; are written, then a privileged process reads, processes, and writes to the main data nodes, then notifies the client it&#x27;s done by writing to a &quot;response&quot; node that only the client can read. This helps us make the security rules a little simpler and less error prone to mistakes, but primarily it&#x27;s so we have a hook to run business processes and validation that doesn&#x27;t need to be in the client which is unsafe.<p>I&#x27;d recommend using the bolt compiler (<a href="https:&#x2F;&#x2F;github.com&#x2F;firebase&#x2F;bolt" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;firebase&#x2F;bolt</a>) so that you can write rules using repeatable logic and so that you can actually read complex rules.

This article is fantastic for people that are more new to Firebase and make these common mistakes. I know when I first started using Firebase for side projects (for fun), as just a front-end dev using Firebase, I found the security aspect of Firebase very overwhelming and scary. I ended up having to pull in some dev friends to help me dial them in properly. The Firebase security docs may be way better now but even as little as a year ago, I found them to just gloss over the topic too casually, personally. It did not make me feel super confident in the security rules I had. I really appreciate the author here taking the time to outline some of these and expand their thoughts more! It really helps a ton!

I&#x27;m not familiar with firebase, but am I reading correctly that rules cascade but without specificity rules?<p>How does cascading make sense at all if lower-down rules don&#x27;t supersede higher rules?

I used to use Firebase. I was ecstatic about the fact that I didn’t need a server.<p>Then I spent months where Whenever I needed to solve a use case I’d spend more time thinking about how to structure my data, how to secure it. I’d spend a lot less time actually building features and more time twisting myself into knots figuring out how to make it work with security rules. It feels backwards to me to have security dictacte the structure of my data rather than the business needs.<p>I switched to Azure functions front ending my data, which resides in Cosmos DB. Now I can structure my data in a way that suits the business need. Security is incomparably easier now and more flexible.

Does this apply to data store though?