We hit your Firebase project from the outside and check whether Firestore, Realtime Database, Storage, and Cloud Functions are locked the way you think they are. No SDK, no credentials, just the same requests anyone could make.
We test read access to every collection we can find, no login attached. allow read: if true shows up more than you'd think.
We hit the /.json endpoint directly. If data comes back, your rules file is sitting on open, the classic copy-from-quickstart mistake.
We poke your Storage bucket with anonymous requests and check whether files are listable or downloadable without signing in.
We find publicly callable functions in your app's network requests and test them for auth checks and rate limits.
Firebase API keys in client code are expected, but we check whether yours is missing the restrictions that keep it from being abused.
We test whether your signed-in rules really scope data to the current user, or whether any user can read anyone else's documents.
No. We only use the same public API access your users and strangers already have. No service account, no Admin SDK. Everything is external.
The console simulator sometimes says "denied" while the live API behaves differently, because of rule ordering or version mismatches. We test the live behavior, not the simulation.
The scan only makes read-only requests. We never write, update, or delete documents or files.
Open the Firebase console, go to Realtime Database → Rules, and swap the defaults for {"rules":{".read":false,".write":false}}, then add auth-scoped rules per path. Get the exact rule set for your data structure with a Pro plan.
Run a free scan. See exactly what a stranger can reach in your Firebase project right now, before someone else does.
Scan my app, free