Free Security Tool
Firestore, Realtime Database, Storage, and Cloud Functions —
are your Security Rules actually locked down?
Firestore Security Rules
Probes every discovered collection for anonymous read access. Counts exposed documents via aggregation queries — never reads field values.
Realtime Database
Checks the classic 'wide open RTDB' misconfiguration — a single GET to /.json that has dumped countless production databases.
Storage Bucket Listing
Tests Firebase Storage buckets for anonymous file enumeration. Captures filenames only — never downloads any content.
Cloud Functions
Discovers httpsCallable functions in your JS bundles and probes for unauthenticated invocation — catches functions missing context.auth checks.
Open Signup Detection
Sends a malformed signup request to the Identity Toolkit to detect whether public signup is enabled — without actually creating accounts.
Project Detection
Extracts Firebase config from JS bundles using regex patterns for apiKey, projectId, databaseURL, and storage bucket — also detects projects via Storage URL leaks.
Firebase Firestore, Realtime Database, and Storage all rely on Security Rules to govern access. The default project rules grant anonymous read/write — and many apps never tighten them, especially those built fast with AI tools or no-code platforms.
Years of misconfigured Firebase Realtime Databases have leaked production data via a single GET /.json request. We probe with ?shallow=true so we can detect exposure without ever fetching the actual data.
Firebase Cloud Functions don't enforce authentication automatically. Developers must add context.auth checks themselves — and forgetting one means anyone can call your paid LLM, send emails, or trigger billable side effects.
This scanner never writes data, never reads document field values, never downloads storage objects, and never creates auth accounts. We capture only structural metadata: collection names, document counts, file paths, and top-level keys.
This tool focuses exclusively on Firebase-specific security. For a broader scan that includes API cost exposure, rate limiting, and endpoint fuzzing, try the full LaunchGuard scan.