Detect the infamous Firebase data-leak patterns (
match /{document=**} { allow read, write: if true; }, expired test-mode rules, auth-without-ownership) in anyfirestore.rulesfile. Optional active probe sends an anonymous GET to the Firestore REST endpoint to PROVE the leak with real data.
▶ Run it without installing anything → apify.com/renzomacar/firebase-security-auditor (paste your firestore.rules + optional project ID, get HTML report)
⚡ Want me to run it for you and send back a written report? $99, 24h delivery → https://perufitlife.github.io/supabase-security-skill/ (one landing covers all five — Supabase, PocketBase, Appwrite, Hasura, Firebase)
🔁 Want this running on a cron? RLS Monitor does weekly diff-based scans + email alerts when new findings appear — $29/mo, your keys never leave your CI.
📦 Need all 5 BaaS stacks at once? The BaaS Security Pack bundles every scanner + sample reports + fix-SQL libraries — one $99 download.
🪞 Sister tool: aitells detects + rewrites AI fingerprints in your text (em-dashes, "delve", parallel bullets). Free detector + $19 lifetime rewriter at /rewrite.
Sister tools for other BaaS platforms (same
--discoverflag, all MIT): supabase-security · pocketbase-security · appwrite-security · nhost-security
Firebase Firestore rules are easy to get wrong, and the failure mode is the worst possible: silent + total. The patterns I see over and over:
match /{document=**} { allow read, write: if true; }— leftover fromfirebase init. Anyone with the project ID can dump every collection. Made HN multiple times.request.time < timestamp.date(2026, 6, 1)— Firebase generates this in test mode. Expires on a date but is wide-open BEFORE that date.if request.auth != nullwithout ownership check — same anti-pattern as PocketBase@request.auth.id != "". Any anonymous-auth user can read/write everything.- Read open + write closed catch-all — devs lock writes but forget reads stay public.
- Storage
allow read: if trueon user uploads — exposes private files (PII docs, payment proofs).
Run against a local rules file (no auth needed):
npx firebase-security firestore.rulesWith active probe (sends anonymous GET to your project's REST endpoint):
npx firebase-security firestore.rules --project-id my-firebase-project --html report.htmlProbe-only mode (no rules file, just verify whether anonymous reads work against the deployed DB):
npx firebase-security --project-id my-firebase-project --html report.html| # | Check | Severity |
|---|---|---|
| 1 | match /{document=**} with if true (the infamous wide-open pattern) |
CRITICAL |
| 2 | if true literal anywhere in rules |
CRITICAL |
| 3 | if request.auth != null without ownership check |
HIGH |
| 4 | Test-mode timestamp rule (open until expiry date) | HIGH |
| 5 | Catch-all read open + write closed | MEDIUM |
| 6 | Storage rules with open read on user uploads | HIGH |
| 7 | Missing explicit default-deny block | INFO |
Each finding ships with a fix snippet you paste back into firestore.rules.
The probe sends an unauthenticated GET to:
https://firestore.googleapis.com/v1/projects/{project-id}/databases/(default)/documents
If documents come back, the project's default DB is leaking and the finding is confirmed: true with document count + bytes returned + sample paths.
--no-probe disables the network call.
In the Firebase console: Project Settings → General → Project ID (looks like my-app-1a2b3 or whatever you named it).
The probe only sends an unauthenticated GET — same thing any random visitor with your project ID could send. We don't need (or want) your service account key.
- HTML report — Tailwind + Chart.js, ~25KB self-contained. Top banner shows X of Y suspected leaks confirmed live.
- JSON — full structured findings (default stdout if no
--html).
MIT. Open source: https://github.com/Perufitlife/firebase-security-skill
For the BaaS family, see:
- Supabase: https://github.com/Perufitlife/supabase-security-skill
- PocketBase: https://github.com/Perufitlife/pocketbase-security-skill
- Appwrite: https://github.com/Perufitlife/appwrite-security-skill
- Hasura/Nhost: https://github.com/Perufitlife/nhost-security-skill
Two productized services:
- Vibe-code Security Review — $199 / 48h — I review your AI-generated code (Cursor / Claude / v0 / Bolt) and ship a PDF with fixes ranked by exploitability.
- Sandbox-as-a-Service — $499 / 48h — custom partner integration sandbox built for your API.
See rotatepilot-skyx-sandbox for a live demo of how a partner consumes one of our public REST APIs in a single static page — built 12-may-2026 in response to an aviation-platform partnership inbound. Same JSON-contract / CORS / edge-served approach we use for firebase-security integrations.
If your team writes outreach, PR descriptions, or social posts with AI, the aitells ecosystem catches the fingerprints before they ship:
@perufitlife/aitells-mcp— MCP server for Claude Code / Cursor.detect_ai_tells+humanize_textas native tools.Perufitlife/aitells-action— GitHub Action that scans PR titles/bodies/commits for AI patterns. Posts friendly summary comment.- aitells.vercel.app — free detector + $19 lifetime humanizer (first 100 buyers)