Get Started with Storage Security Rules

In typical apps, developers must build and maintain many servers that perform authentication, authorization, and data validation, as well as the developer's business logic. Apps using Firebase Storage make use of Firebase Authentication and Firebase Storage Security Rules to handle serverless authentication, authorization, and data validation.

Using Firebase Storage and Storage Security Rules means that you can focus on building a great user experience, without having to manage infrastructure or write complex server-side authentication and authorization code!

Overview

Storage Security Rules are used to determine who has read and write access to files stored in Firebase Storage, as well as how files are structured and what metadata they contain. The basic type of rule is the allow rule, which allows read and write operations if an optionally specified condition is met. Some examples of rules are:

// Rules can optionally specify a condition
allow write: if <condition>;

Rules match file paths representing Firebase Storage references. Rules may match one or more file paths, and more than one rule can match the file path in a given request:

// Rules match specific paths
match /images/profilePhoto.png {
  allow write: if <condition>;
}

match /images/croppedProfilePhoto.png {
  allow write: if <other_condition>;
}

The context of the rule evaluation is also exposed through the request and resource objects, which provide information such as the auth context (request.auth) and the existing object's size (resource.size).

// Rules can specify conditions that consider the request context
match /images/profilePhoto.png {
  allow write: if request.auth != null && request.resource.size < 5 * 1024 * 1024;
}

Learn more about Storage Security Rules in the Secure Files section.

Sample Rules

Storage Security Rules must first specify the service (in our case firebase.storage), and the Firebase Storage bucket (via match /b/<your-firebase-storage-bucket>/o) which rules are evaluated against. The default rules require Firebase Authentication, but here are some examples of other common rules with different access control.

Default

// Only authenticated users can read or write to the bucket
service firebase.storage {
  match /b/<your-firebase-storage-bucket>/o {
    match /{allPaths=**} {
      allow read, write: if request.auth != null;
    }
  }
}

Public

// Anyone can read or write to the bucket, even non-users of your app.
// Because it is shared with Google App Engine, this will also make
// files uploaded via GAE public.
service firebase.storage {
  match /b/<your-firebase-storage-bucket>/o {
    match /{allPaths=**} {
      allow read, write;
    }
  }
}

User

// Grants a user access to a node matching their user ID
service firebase.storage {
  match /b/<your-firebase-storage-bucket>/o {
    // Files look like: "user/<UID>/path/to/file.txt"
    match /user/{userId}/{allPaths=**} {
      allow read, write: if request.auth.uid == userId;
    }
  }
}

Private

// Access to files through Firebase Storage is completely disallowed.
// Files may still be accessible through Google App Engine or GCS APIs.
service firebase.storage {
  match /b/<your-firebase-storage-bucket>/o {
    match /{allPaths=**} {
      allow read, write: if false;
    }
  }
}

During development, you can use the public rules in place of the default rules to set your files publicly readable and writable. This is very useful for prototyping, as you can get started without setting up Firebase Authentication. However, because Firebase Storage shares a bucket with your default Google App Engine app, this rule also makes any data used by that app public as well.

User rules allow you to give each of your authenticated users their own personal file storage. You can also lock down your files entirely by using the private rules, but be aware that your users won't be able to read or write anything through Firebase Storage with these rules. Users accessing files from your Google App Engine app or the GCS APIs may still have access.

Before launch, make sure that you evaluate your rules to ensure they provide the maximum level of security your application needs.

Edit Rules

Firebase Storage provides an easy way to edit your Storage Security Rules via the Rules tab in the Firebase console Storage section. In the Rules tab, you can quickly and easily view and edit your current rules. These rules are deployed by clicking Publish, or by saving the file (ctrl/cmd + s). Rules are immediately uploaded to Firebase Storage servers, but may take up to five minutes to become live.

Learn more about how file based security works in the Secure Files section, or understand user based security in the User Security section.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated September 23, 2016.