Is my Firebase public?

Short answer

If your Firestore / Realtime Database rules start with `allow read, write: if true` at any level, yes. Any user of your app (and anyone with your public Firebase config) can read those paths. Check your firebase.rules file or Rules tab in the Firebase console.

Firebase security is entirely rule-driven. The anonymous Firebase config (apiKey, authDomain, projectId, etc.) is designed to be public — it ships in your app's JavaScript by design. Security comes from rules, not from hiding the config.

Check yours: 1. Open Firebase console → Firestore → Rules 2. Look for `allow read, write: if true` anywhere — that's default-allow, fully public 3. Look for rules that don't reference `request.auth.uid` — those probably don't enforce ownership

Firestore rules checklist: - Every collection has explicit rules scoped by auth.uid + tenant - Storage rules similarly scoped - Default-deny at root (`match /{document=**} { allow read, write: if false; }`) - Rules tested with Firebase Emulator Suite

Deep dive: /guides/firebase-security (coming soon) and /safe/is-firebase-safe for the full review.

People also ask

Is my Supabase public?
Your Supabase is public by default on any table without Row-Level Security enabled. Anyone with your anon key (which shi
Will my Lovable app get hacked?
If you shipped a Lovable app without running a security scan, you have roughly a 16% chance of shipping with an exposed