Bolt.new + Firebase security playbook
Updated
Bolt + Firebase is fast for prototypes. Firebase's default-allow security model + Bolt's prompt-driven code generation = security as opt-in. Lock down before launch.
What breaks on this stack
Firestore default-allow rules
Default firestore.rules grants read/write to any authenticated user. Replace with per-user-scoped rules.
Read the guide →Storage bucket default-public
Firebase Storage rules default-allow any read. Lock to authenticated + per-user scope.
Read the guide →App Check not enabled
Bolt-generated apps frequently skip App Check; backend can't distinguish legitimate from malicious clients.
Read the guide →Server config leaked client-side
Firebase service-account JSON shipped to client = full-admin access.
Read the guide →Pre-ship checklist
- firestore.rules per-user-scoped
- storage.rules per-user-scoped
- App Check enabled
- Service-account JSON server-only
- Firebase Auth provider configured
- Cloud Functions auth checks
Starter config
// firestore.rules
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId}/{document=**} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
}
}