AI Prompt: Write Firebase Security Rules

This prompt can help your AI assistant (like the Gemini CLI ) generate and refine Firebase Security Rules for your app. You can use the prompt to draft Security Rules for common use cases, such as granting user-specific access, implementing role-based permissions, and validating data.

This prompt focuses on generating Security Rules for:

Cloud Firestore : Secure collections and documents based on your app's logic.
Cloud Storage for Firebase : Validate access permissions for your stored files.

Using this prompt can help you get started with a strong security posture, but you should always test your Security Rules thoroughly before deploying to production. For more information about testing Security Rules , review Get started with Firebase Security Rules : Test your Security Rules .

Important:

Your Firebase Security Rules are not automatically updated. The Gemini CLI extension described in this guide runs one time to create your Security Rules based on your project's current state. It does not continuously monitor your app or file system. It won't automatically update your Security Rules as you develop new features.

You must manually update your Security Rules every time you:

Add a new database collection or path
Change your data's structure or schema
Change your file storage structure

To update your Security Rules , you must either re-run the prompt to rebuild your Security Rules or edit them manually.

If you add new features without updating your Security Rules , you risk creating:

Security gaps: Your new data may be left unsecured and publicly readable/writable.
Broken features: Your app may be blocked from accessing the new data, causing it to fail.

Prerequisites

Familiarize yourself with Firebase Security Rules best practices .
To run unit tests for Firebase Security Rules and use the Firebase Local Emulator Suite , install Node.js and the Firebase CLI . For full instructions, refer to Install, configure, and integrate Firebase Local Emulator Suite .
Recommended: If you haven't already, install Gemini CLI . The following instructions explain how to install and use a Gemini CLI extension to generate Security Rules . If you prefer to use another AI assistant, you can copy and paste the prompt from the extension's repository into your chosen AI assistant.
This Gemini CLI extension uses the Firebase MCP server to validate the Firebase Security Rules it generates. The MCP server can also be used for easier testing and deployment of your Security Rules . Install the Firebase MCP server before using the extension to generate Firebase Security Rules .

Limitations

We are actively improving this experience, so this list of limitations may change. Check back often for updates.

The prompt is designed to generate Firebase Security Rules for Cloud Firestore and Cloud Storage for Firebase . It's not yet capable of generating Security Rules for Firebase Realtime Database .
Firebase Security Rules are not called when accessing your database or bucket from a server or other backend environment, such as when using the Firebase Admin SDK . If you're using the Admin SDK , you're responsible for managing authorization and data validation in your backend code.
Gemini in Firebase within the Firebase console is unable to generate Firebase Security Rules , even when using this prompt. Instead, use an alternate AI assistant that has access to your codebase, such as Gemini CLI (which is described on this page).

Use the prompt

This prompt is available from the Gemini CLI extension for Firebase Security Rules to generate your Security Rules and tests. This extension analyzes your source code to help identify data schemas and access patterns for Cloud Firestore and Cloud Storage . It's designed to draft Security Rules based on the principle of least privilege and attempts to uncover vulnerabilities through iterative "attack" simulations. To assist with final verification, it provides a starting unit test suite using @firebase/rules-unit-testing , allowing you to verify your security logic locally using the Firebase Local Emulator Suite .

Using this extension requires three steps which are described in this section:

Generate your Security Rules and tests .
Review Security Rules validation and test results .
Deploy Security Rules to your Firebase project .

Step 1: Generate Security Rules and tests

Install and run the extension:

Install the Gemini CLI extension:

 gemini  
extensions  
install  
https://github.com/firebase/snippets-rules

Start Gemini CLI :
```
 gemini 
```
Note: Before generating Security Rules , make sure that you're connected to the Firebase MCP server .
From the root of your project, run the extension to generate Security Rules for either Cloud Firestore or Cloud Storage :
- Generate Security Rules for Cloud Firestore :
```
 /firebase-rules:firestore  
Generate  
 Firebase  
Security  
Rules 
  
using  
PROJECT  
ID  
 PROJECT_ID 
 
```
  In the parent directory, the extension creates a firestore.rules file and a new rules_test directory that contains a Node.js project with unit tests for the generated Security Rules .
- Generate Security Rules for Cloud Storage for Firebase :
```
 /firebase-rules:storage  
Generate  
 Firebase  
Security  
Rules 
  
using  
PROJECT  
ID  
 PROJECT_ID 
  
and  
BUCKET  
NAME  
 BUCKET_NAME 
 
```
  In the parent directory, the extension creates a storage.rules file and a new storage_rules_test directory that contains a Node.js project with unit tests for the generated Security Rules .

Step 2: Review Security Rules validation and test results

Make sure the following are done by your AI assistant. You should get a generated summary after the extension runs.
- Syntax validation: After generating Security Rules , Gemini CLI automatically validates syntax using the firebase_validate_security_rules command from the Firebase MCP server.
- Unit tests: After validating syntax, Gemini CLI attempts to run the generated unit tests using the Firebase Local Emulator Suite .
If tests don't run automatically, start the Firebase Local Emulator Suite in a separate terminal , then use one of the following options to run the tests:
- Option 1: Instruct Gemini CLI to run tests:
```
 Firebase Emulator Suite is running in a separate terminal. Please execute the tests. 
```
- Option 2: Run tests manually by following the instructions in the README.md file in the rules_test or storage_rules_test directory.

Step 3: Deploy Security Rules to your Firebase project

When you're satisfied with the result of your generated Security Rules , use the following Firebase CLI commands to deploy the Security Rules to your Firebase project:

Cloud Firestore

 firebase  
deploy  
--only  
firestore:rules

Cloud Storage for Firebase
```
 firebase  
deploy  
--only  
storage 
```

Additional resources

For additional help with your security posture, you can also use the security extension for Gemini CLI , an open-source extension that analyzes code changes to identify security risks and vulnerabilities.