Firebase Advisory · Test-Mode Security Rules Expiry
Severity: high · Published: 2025-04-22
Firebase's 'Start in test mode' onboarding flow ships Firestore and Storage with rules that allow any authenticated (or unauthenticated) read/write for 30 days. Countless production apps deploy these rules and either (a) never revisit them and leak data for 30 days, or (b) suddenly break in production when rules flip closed.
Affected
- Firestore databases created via 'test mode' onboarding
- Cloud Storage buckets created with the default rules template
- Any project whose `firestore.rules` still contains `request.time < timestamp.date(...)`
Impact
During the 30-day window, all documents are publicly readable and writable given the API key (which is embedded in every client build). After expiry, the app breaks. Both outcomes are bad · one leaks data, the other causes outages.
Fix
- Grep your `firestore.rules` and `storage.rules` for `request.time` and `timestamp.date` · these are the test-mode markers.
- Replace with a deny-by-default block: `match /{document=**} { allow read, write: if false; }`.
- Open specific paths gated on `request.auth != null` and ownership fields.
- Use the Firebase Rules Simulator to test as an unauthenticated user · every path must fail.
- Deploy rules with `firebase deploy --only firestore:rules,storage`.
Check your app →