Skip to content
GM

Firestore Security Rules: The Unsung Hero of SaaS

2 min read
FirebaseSecurityBackendFirestore
Firestore Security Rules: The Unsung Hero of SaaS

Firestore Security Rules: The Unsung Hero of SaaS

With the authentication system currently in maintenance mode, I am spending the day deep in the backend configuration. Specifically, I am auditing my Firestore Security Rules.

For those unfamiliar with Firebase, this is the most critical file in the entire project. It acts as the gatekeeper for my database.

The Myth of Frontend Security

Many junior developers make a fatal mistake: they think hiding a button protects the data. "If I don't show the 'Delete' button to the user, they can't delete the post."

Wrong.

Any user can open the browser Developer Console and send a delete command directly to your database API. If your security relies on your UI (User Interface), you have no security. This is "Security by Obscurity," and it always fails.

Security is Logic

In Firestore, security is code. It looks like this:

allow update: if request.auth != null && resource.data.userId == request.auth.uid;

This single line is powerful. It translates to: "You can only update this document IF you are logged in AND the document's owner ID matches your ID." It doesn't matter if a hacker tries to bypass the UI; the database itself will reject the request because the logic doesn't hold up.

Today's maintenance is about tightening these rules. I am moving from "basic checks" to RBAC (Role-Based Access Control), ensuring that even if a user is authenticated, they cannot escalate their privileges to become an admin unless explicitly authorized.

Security is not obscurity. It is logic.

Best,

Gerasimos Makris Founder of g-makris.com AI Web Developer | Double Master's in MBA & FinTech and Blockchain

Tech Glossary & Concepts

  • SaaS (Software as a Service): A software distribution model where applications are hosted by a vendor or service provider and made available to customers over a network, typically the internet.
  • Frontend vs Backend: Frontend is what the user sees (the browser, the buttons). Backend is the server and database where the logic and data live.
  • RBAC (Role-Based Access Control): A method of restricting network access based on the roles of individual users within an enterprise.
  • Privilege Escalation: An attack where a user gains access to resources or functions that they are not normally allowed to access (e.g., a regular user making themselves an admin).
GM

About the Author

Gerasimos Makris

AI Web Developer & FinTech Specialist

View Resume

Gerasimos Makris is an AI Web Developer with a background in FinTech operations. He specializes in building secure, scalable web applications that solve real-world financial problems. When he's not coding, he enjoys exploring the intersection of technology, finance, and business strategy.

Share:

Related Content

Firebase Security Rules
Engineering

Firebase Security Rules: A Practical Deep Dive

The Gift of Security: Why I Audit My Own Code
Security

The Gift of Security: Why I Audit My Own Code

Securing Your Web App
Security

Securing Your Web App: A Developer's Checklist

Valuing Your Privacy

We use cookies to optimize your experience, analyze site usage, and support personalization. By clicking “Accept All”, you consent to our use of cookies. Learn more in our Cookie Policy.