Back to blog
Firebasetechnicalvulnerabilities

Firebase Firestore: why 'allow read, write: if request.auth != null' is not security

Published on 2026-03-256 min readFlorian

The false sense of security

The rule allow read, write: if request.auth != null is the most common Firestore configuration. It seems secure. In reality, it allows ANY authenticated user to read and modify ALL other users' data.

The fix

Replace with: allow read, write: if request.auth.uid == resource.data.userId

What we find

70% of Firebase applications we audit use this basic rule.

Related articles

Three adjacent analyses to keep exploring the same attack surface.

Supabasetechnical

Supabase RLS: 5 configuration mistakes we find every week

Supabase Row Level Security policies are your first line of defense. Here are the 5 most common mistakes.

2026-03-28 · 7 min read
WordPresstechnical

WordPress REST API: 7 dangerous endpoints enabled by default

Your WordPress exposes sensitive data via REST API without you knowing. Here are 7 endpoints to check now.

2026-04-03 · 6 min read
Laraveltechnical

Laravel: when Ziggy exposes the complete map of your application

Ziggy route exposure gives attackers a complete map of your Laravel app architecture.

2026-03-10 · 5 min read

Sources

Written by Florian
Reviewed on 2026-03-25

Editorial analysis based on official vendor, project, and regulator documentation.

Related services

If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

External Review

Get a fast, clear read on your product’s real external exposure.

Full Audit

Document all priority flaws and get a real remediation plan.

Ongoing Review

Track new exposure as your stack changes over time.

Need an external review of your HR SaaS?

Share your product, stack, and client context. We will come back with the right review scope.

Discuss your audit