Build and validate Firestore security rules with match patterns and conditions.
Last verified: May 2026
Build and validate Firestore security rules with match patterns and conditions.
Required Fields
rulesVersionservicematchesmatches[0]matches[0].pathOutput will appear here...Your team's Firestore-backed app had a security audit flag: any authenticated user could read any other user's profile. The builder helps you write a rule: `match /users/{userId} { allow read: if request.auth != null && request.auth.uid == userId; }`. Then you write emulator tests verifying: authenticated user CAN read own profile, authenticated user CANNOT read another user's profile, unauthenticated user CANNOT read any profile. All 3 tests pass before deploy. Audit finding closed in a single PR.
The GCP Firestore Security Rules Builder helps you create security rules that control read and write access to your Firestore database. Firestore security rules use a custom expression language to match document paths, validate data, and check authentication state. This tool provides a visual interface for building rules with proper path matching, condition logic, and data validation functions, generating the rules file for deployment via the Firebase CLI or gcloud.
The builder constructs Firestore security rules as a structured rules document with match blocks (path patterns), allow/deny statements (read, write, get, list, create, update, delete), and conditions using request.auth, request.resource, resource, and get() / exists() helper functions. Output is the rules.firestore file ready for `firebase deploy --only firestore:rules` or for the rules section of a firebase.json.
The 10 get() call limit per rule evaluation is a hard cap. If you have a multi-tenant app where each request needs to: (1) get user, (2) get user's role, (3) get role's permissions, (4) get tenant config, (5) get document — that's 5 gets, and you only have 5 left. Plan rule complexity carefully.
Always test rules with the Firebase Emulator Suite BEFORE deploying. The emulator catches 90% of rule bugs in seconds vs hours-of-debugging-in-production. Hook emulator tests into your CI so every PR runs them automatically.
request.auth.uid is null for unauthenticated requests, NOT undefined. Always check `request.auth != null` first, then check uid. The pattern `request.auth.uid == userId` is unsafe because it crashes on unauthenticated requests instead of returning false — exposing whether the document exists via the error message.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.