⚡ 100% Free — No signup required

Firebase Rules
Security Validator

Instantly audit your Firestore & Storage security rules for vulnerabilities, open access, and misconfigurations.

24+ Security checks

<1s Analysis time

Free Always

EXAMPLES:

— /100

Security Score

Run analysis to see results

rules.txt

analysis.log

🔍

Paste your rules and click Analyze

What we check

24 security rules analyzed instantly

🚨

Open Access Detection

Catches allow read, write: if true and other rules that expose your entire database to the public internet.

🔐

Auth Checks

Verifies that sensitive operations require proper authentication and that request.auth != null is present where needed.

👤

Ownership Validation

Checks that users can only read/write their own data with request.auth.uid == resource.data.userId patterns.

📋

Field Validation

Detects missing request.resource.data validation that could allow users to write arbitrary fields to your documents.

🏗️

Wildcard Analysis

Identifies dangerous recursive wildcards (/{document=**}) that may unintentionally grant access to subcollections.

⚡

Fix Suggestions

Every issue comes with an explanation and a copy-paste fix. Not just problems — solutions.

Firebase Security

The FireGuard Blog

Deep dives into Firebase security, Firestore rules patterns, and best practices for building safe apps.

Guide

How FireGuard Works

FireGuard parses your Firebase Security Rules and runs 24+ static analysis checks entirely in your browser. Nothing is sent to any server.

Security checks reference

Below is a complete list of all checks FireGuard runs when you click "Analyze".

How to use

Paste your firestore.rules content into the editor on the left
Click Analyze Security Rules
Review issues sorted by severity (Critical → Low)
Apply the suggested fixes to your rules file
Re-run to confirm the issues are resolved

Privacy

All analysis happens 100% in your browser using JavaScript. Your rules are never sent to any external server. FireGuard has no backend.

Limitations

FireGuard performs static analysis — it can't simulate actual Firestore reads/writes. For comprehensive testing, use the Firebase Emulator Suite alongside FireGuard.

Firebase RulesSecurity Validator