New: CheckVibe MCP server — scan from Claude Code and Cursor nativelyRead the docs
Firebase Security Rules are powerful — and silently wrong.
Firebase Security Rules feel safe ("only authenticated users can read") right up until you realize "authenticated users" includes anyone who signs up. The default templates are too permissive for most apps, and Firestore makes it easy to ship an app where everyone can read everything.
Get a graded security report for your Firebase app in under a minute.
`request.auth != null` is too permissive in 90% of apps. CheckVibe probes documents to verify rule enforcement.
Default rule in dev mode lets anyone read or write any file.
Without App Check, your Firebase project is callable from any client — botted, scraped, abused.
HTTP-triggered functions need explicit auth checks.
Stack traces leak Firestore document paths and internal structure.
Use `request.auth.uid == resource.data.userId` patterns. CheckVibe outputs the exact rule for each unprotected collection.
Allow read only on user-owned paths.
Five minutes in Firebase Console; blocks 99% of automated abuse.
Reject anonymous requests unless the function is explicitly public.
They're the only defense for direct client access. You also need App Check and proper Cloud Function auth.
Manually with the Firebase Console simulator, or automatically by pasting your project URL into CheckVibe.
