Live audit · 24h delivery · Active probe confirms every leak

Find what your Firebase project is leaking right now — from $29.

There are 1,748+ public GitHub repos with leaked Firebase configs right now. Half of those Firestore instances respond to anonymous reads on /users, /orders, /messages. Is yours one of them? Find out in 10 seconds.

⭐ 5 ecosystems supported 🔓 MIT open source — runs locally 🛡️ Active anon probe (not just rule parsing) ⚡ 7 detection patterns

Try the free instant scanner first

⚡ Free in-browser scan →

Paste your project ID. See which collections are publicly readable. No sign-up. No data sent to my server.

What you get with a paid audit

→
Self-contained HTML report — letter grade (A+ to F), severity-ranked findings, charts. Forward to your team.
→
Active probe on every finding — I don't just say "rule X looks bad." I fetch live with anonymous Firestore REST and show you exactly what comes back.
→
Paste-ready firestore.rules snippets — for every match block, the corrected version with proper auth + ownership checks. Drop straight into your rules file.
→
7 detection patterns — if true, match /{document=**}, expired test-mode, auth-only-no-ownership, read-open-write-protected mistakes, public storage rules, missing default-deny.
→
24h delivery by email. Static analysis takes seconds; the rest is reading + confirming intentional exposures.

Pick a tier

Impulse

Top-5 fix bundle, plain text, 12h email

Get $5 fixes

Recurring

Monitoring

$9/mo

Weekly auto-scan + email digest of new leaks

Subscribe $9/mo

Lite

$29

Top 3 critical fixes + written summary, 24h

Get $29 lite

Full

$99

Every match block + 30d Q&A, 24h

Get $99 full

→ Source code on GitHub (MIT, runs locally)

Want to test the auditor first? Run it free on Apify (no install):

▶ firebase-security-auditor on Apify

Why now?

Firebase test-mode rules expire after 30 days, but most devs forget the deadline and hard-code request.time < timestamp.date(2099, 1, 1) "temporarily." That's still wide-open in 2026 unless someone audits. Test-mode auto-expiry shipped in Firebase mid-2018; if your project is older than that, run the scan now.

Why me?

I publish the auditor itself open-source (MIT). I built and run all 5 BaaS security scanners (Supabase, PocketBase, Appwrite, Hasura/Nhost, Firebase). I'm not just selling consulting — I'm packaging real, repeatable detection.

Built by Perufitlife · All tools MIT licensed · Questions? renzomacar@gmail.com