The Realtime Database provides a declarative rules language that allows you to define how your data should be structured, how it should be indexed, and when your data can be read from and written to. By default, read and write access to your database is restricted so only authenticated users can read or write data. To get started without setting up Authentication, you can configure your rules for public access. This does make your database open to anyone, even people not using your app, so be sure to restrict your database again when you set up authentication.
You can find and change the rules for your database in the Firebase console. Simply choose your project, click on the Database section on the left, and then select the Rules tab. If you would like to test your security rules before putting them into production, you can simulate operations in the console using the Simulate button in the upper right of the rules editor.
You can also update your rules using our Command Line Interface. This is especially useful if you want to update your rules programmatically, such as from an automated deployment system.
By default, your database rules require Firebase Authentication and grant full read and write permissions only to authenticated users. The default rules ensure your database isn't accessible by just anyone before you get a chance to configure it. Once you're set up, you can customize your rules to your needs.
Here are some common examples:
The default rules require Authentication. They allow full read and write access to authenticated users of your app. They are useful if you want data open to all users of your app but don't want it open to the world.
During development, you can use the public rules in place of the default rules to set your files publicly readable and writable. This can be useful for prototyping, as you can get started without setting up Authentication. This level of access means anyone can read or write to your database. You should configure more secure rules before launching your app.
Here's an example of a rule that gives each authenticated user a personal node at /users/$user_id where $user_id is the ID of the user obtained through Authentication. This is a common scenario for any apps that have data private to a user.
It is essential that you configure these rules correctly before launching your app to ensure that your users can only access the data that they are supposed to.
For more information read the Database Rules Guide