Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Securing Your Firebase Apps: A Deep Dive into F...

Avatar for Ayodele Aransiola Ayodele Aransiola
November 29, 2025
Programming
0
3

Securing Your Firebase Apps: A Deep Dive into Firestore Rules

Building with Firebase is fast, but speed often comes at the cost of security. Many teams launch with permissive Firestore rules, sometimes even allowing read, write—if true—without realizing that these rules are their only line of defense against unauthorized access. The result? Exposed data

Avatar for Ayodele Aransiola

Ayodele Aransiola

November 29, 2025
Tweet

More Decks by Ayodele Aransiola

See All by Ayodele Aransiola
Preparing_Africa_s_Digital_Talent.pdf
Avatar for Ayodele Aransiola leomofthings
0
7
Building Desktop Apps Out of Web Apps: Scaling Electron With Code Signing & CI/CD
Avatar for Ayodele Aransiola leomofthings
0
10
Emerging opportunities for AI Enthusiasts
Avatar for Ayodele Aransiola leomofthings
0
22
How to get Funding
Avatar for Ayodele Aransiola leomofthings
0
17
Leveraging Opensource for career growth
Avatar for Ayodele Aransiola leomofthings
0
37
Navigating Essential Tech Tools
Avatar for Ayodele Aransiola leomofthings
0
11
How to Build World-Class Web3 Developer Communities
Avatar for Ayodele Aransiola leomofthings
1
540
Why Your Open-Source Project Feels Broken (and How to Fix It)
Avatar for Ayodele Aransiola leomofthings
0
110

Other Decks in Programming

See All in Programming
TypeScript 5.9 で使えるようになった import defer でパフォーマンス最適化を実現する
Avatar for おおいし bicstone
1
1.2k
CSC305 Lecture 17
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
340
Microservices Platforms: When Team Topologies Meets Microservices Patterns
Avatar for Chris Richardson cer
PRO
1
1k
Microservices rules: What good looks like
Avatar for Chris Richardson cer
PRO
0
1.1k
C-Shared Buildで突破するAI Agent バックテストの壁
Avatar for po3rin po3rin
0
370
非同期処理の迷宮を抜ける: 初学者がつまづく構造的な原因
Avatar for PADAone pd1xx
1
690
LLMで複雑な検索条件アセットから脱却する!! 生成的検索インタフェースの設計論
Avatar for po3rin po3rin
2
630
React Native New Architecture 移行実践報告
Avatar for taminif taminif
1
150
Developing static sites with Ruby
Avatar for Masafumi Okura okuramasafumi
0
230
tparseでgo testの出力を見やすくする
Avatar for utagawa kiki utgwkk
1
180
Integrating WordPress and Symfony
Avatar for Alexandre Salomé alexandresalome
0
140
ID管理機能開発の裏側 高速にSaaS連携を実現したチームのAI活用編
Avatar for Atsushi Kawamura (atzz/a2c) atzzcokek
0
210

Featured

See All Featured
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.5k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
9.8k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.7k
Docker and Python
Avatar for Tania Allard trallard
47
3.7k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
80
6.1k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1032
470k
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
Done Done
Avatar for chrislema chrislema
186
16k
Designing for Performance
Avatar for Lara Hogan lara
610
69k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
24
3.8k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.3k

Transcript

  1. 00 What if a single line of code could expose

    your entire database to the public?

  2. What if the feature that made your app go live

    fast also becomes the reason your company is trending for the wrong reason?

  3. That is what happens when that says, if true. you

    ship with Firebase rules

  4. ABUJA Ayodele Aransiola Solution Architect, Gopaddi Securing Your Firebase Apps:

    A Deep Dive into Firestore Rules 2025

  5. ABUJA - Developer Relations - Solutions Architect - Open-source Advocate

    - Co-founder, RYD Learning (X) - @leomofthings

  6. 01 Just Make it Work • Secure • Scalable •

    S(C)ompliant

  7. 02 Rules are not filters. Firebase rules are not your

    backend logic.

  8. Think ‘deny first, permit by intent’ approach.

  9. Breaking Bad

  10. 03 Apps on prod need more nuances, especially SaaS-based ones:

    admin, viewers (audit…), and support. Which of these roles should have edit access?

  11. Now let’s make sure users can only touch their own

    stuff.

  12. Field Immutability Sometimes users should be able to edit content

    but not sensitive fields like roles or balances. ABUJA

  13. 04 Multi-Tenancy Like a massive apartment complex. Everyone lives in

    the same building (server) and relies on the same water and electricity (database/infrastructure).

  14. ABUJA Ensuring Data Isolation.

  15. 05 For collaborative applications, you can’t just block everyone else;

    You need smart sharing.

  16. Access Control List (ACL) Pattern

  17. Document Level ACL Pattern

  18. Security that’s untested is insecurity in disguise.

  19. 06 When Rules cannot handle it, delegate to cloud functions.

    Example: validating cross-collection data.

  20. ABUJA You can’t IMPROVE what you don’t MONITOR.

  21. Audit Checklist • Generic > Specific • Manual > Automate

    • Flat > Modular • Basic > Tested ABUJA

  22. Security isn’t a sprint; it’s part of your CI culture.

  23. Speed is good, but secure speed is better. Ayodele Aransiola

    Solution Architect, Gopaddi. ABUJA (X) - @leomofthings