AI Prompt: Write Firebase Security Rules

This prompt can help your AI assistant (like Google Antigravity) generate and refine Firebase Security Rules for your app. You can use the prompt to draft Security Rules for common use cases, such as granting user-specific access, implementing role-based permissions, and validating data.

This prompt focuses on generating Security Rules for:

Cloud Firestore: Secure collections and documents based on your app's logic.
Cloud Storage for Firebase: Validate access permissions for your stored files.

Using this prompt can help you get started with a strong security posture, but you should always test your Security Rules thoroughly before deploying to production. For more information about testing Security Rules, review Get started with Firebase Security Rules: Test your Security Rules.

Important:

Your Firebase Security Rules are not automatically updated. The prompt described in this guide runs one time to create your Security Rules based on your project's current state. It doesn't continuously monitor your app or file system, and won't automatically update your Security Rules as you develop new features.

You must manually update your Security Rules every time you:

Add a new database collection or path
Change your data's structure or schema
Change your file storage structure

To update your Security Rules, you must either re-run the prompt to rebuild your Security Rules or edit them manually.

If you add new features without updating your Security Rules, you risk creating:

Security gaps: Your new data may be left unsecured and publicly readable/writable.
Broken features: Your app may be blocked from accessing the new data, causing it to fail.

Prerequisites

Familiarize yourself with Firebase Security Rules best practices.
To run unit tests for Firebase Security Rules and use the Firebase Local Emulator Suite, install Node.js and the Firebase CLI. For full instructions, refer to Install, configure, and integrate Firebase Local Emulator Suite.
Recommended: If you haven't already, install Antigravity. The following instructions explain how to enable and use the Firebase agent skills and MCP server to generate Security Rules. If you prefer to use another AI coding agent, you can copy and paste the prompt for Cloud Firestore or Cloud Storage for Firebase from the firebase-tools repository into your chosen AI coding agent.
The Firebase agent skills and MCP server work together to access prompts that generate and validate Firebase Security Rules, and help with testing and deployment of Security Rules. Install the Firebase MCP server before using these tools to generate Firebase Security Rules.

Limitations

We are actively improving this experience, so this list of limitations may change. Check back often for updates.

The prompt is designed to generate Firebase Security Rules for Cloud Firestore and Cloud Storage for Firebase. It's not yet capable of generating Security Rules for Firebase Realtime Database.
Firebase Security Rules are not called when accessing your database or bucket from a server or other backend environment, such as when using the Firebase Admin SDK. If you're using the Admin SDK, you're responsible for managing authorization and data validation in your backend code.
Gemini in Firebase within the Firebase console is unable to generate Firebase Security Rules, even when using this prompt. Instead, use an alternate AI assistant that has access to your codebase, such as Antigravity (which is described on this page).

Use the prompt

This capability is available when using the Firebase MCP server and Firebase agent skills with a compatible AI assistant (such as Antigravity) to generate your Security Rules and tests. These tools analyze your source code to help identify data schemas and access patterns for Cloud Firestore and Cloud Storage. They are designed to draft Security Rules based on the principle of least privilege and attempt to uncover vulnerabilities through iterative "attack" simulations. To assist with final verification, they provide a starting unit test suite using @firebase/rules-unit-testing, allowing you to verify your security logic locally using the Firebase Local Emulator Suite.

Using these tools requires three steps which are described in this section:

Generate your Security Rules and tests.
Review Security Rules validation and test results.
Deploy Security Rules to your Firebase project.

Step 1: Generate Security Rules and tests

Set up and run the tools:

Enable the Firebase agent skills:
- Google Antigravity: Refer to the setup instructions to enable the Firebase integration bundle. If you're using the CLI, you can enable the skills by running:
```
npx skills add firebase/agent-skills --agent=antigravity
```
- Other AI coding agents: Follow the instructions for agent skills and the MCP server.
Start your AI assistant (for example, run agy in your terminal for the CLI, or open the desktop application).

Note: Before generating Security Rules, make sure that you're connected to the Firebase MCP server.
From the root of your project, ask the agent to generate Security Rules for either Cloud Firestore or Cloud Storage based on how your AI coding agent interacts with MCP prompts:
- For coding agents that use natural language (like Antigravity), prompt the agent using natural language.
  - Generate Security Rules for Cloud Firestore:
```
Generate Firestore security rules for this project, then run the unit tests.
```
    In the parent directory, the agent creates a firestore.rules file and a new security_rules_test_firestore directory that contains a Node.js project with unit tests for the generated Security Rules.
  - Generate Security Rules for Cloud Storage for Firebase:
```
Generate Cloud Storage security rules for this project, then run the unit tests.
```
    In the parent directory, the agent creates a storage.rules file and a new security_rules_test_storage directory that contains a Node.js project with unit tests for the generated Security Rules.
- For coding agents that support slash commands (like Claude Code), use the following commands.
  - Generate Security Rules for Cloud Firestore:
```
/firestore:generate_security_rules
```
  - Generate Security Rules for Cloud Storage for Firebase:
```
/storage:generate_security_rules
```
- For coding agents that don't support MCP prompt integration, you can copy the raw prompt template from the firebase-tools repository and paste it into the agent's chat.
  - Generate Security Rules for Cloud Firestore: Copy the prompt from Cloud Firestore.
  - Generate Security Rules for Cloud Storage for Firebase: Copy the prompt from Cloud Storage for Firebase.

Step 2: Review Security Rules validation and test results

Make sure the following are done by your AI coding agent. You should get a generated summary after the tools run.
- Syntax validation: After generating Security Rules, your AI coding agent automatically validates syntax using the firebase_validate_security_rules command from the Firebase MCP server.
- Unit tests: After validating syntax, your AI coding agent attempts to run the generated unit tests using the Firebase Local Emulator Suite.
If tests don't run automatically, start the Firebase Local Emulator Suite in a separate terminal, then use one of the following options to run the tests:
- Option 1: Instruct your AI assistant to run tests:
```
Firebase Emulator Suite is running in a separate terminal. Please execute the tests.
```
- Option 2: Run tests manually by following the instructions in the README.md file in the rules_test or storage_rules_test directory.

Step 3: Deploy Security Rules to your Firebase project

When you're satisfied with the result of your generated Security Rules, use the following Firebase CLI commands to deploy the Security Rules to your Firebase project:

Cloud Firestore
```
firebase deploy --only firestore:rules
```
Cloud Storage for Firebase
```
firebase deploy --only storage
```