Paste your Firebase project ID. The scan runs entirely in your browser. Nothing is sent to my server. Open DevTools → Network if you want to verify — every request goes directly from your browser to firestore.googleapis.com as an unauthenticated GET.
Only scan projects you own or have written authorization to test. Anyone can do this kind of probe; making it visible to you is the point.
How this works: the form fires GET https://firestore.googleapis.com/v1/projects/<your-id>/databases/(default)/documents/<collection>?pageSize=1 as unauthenticated for each collection name. If the response has documents, the collection is publicly readable (your firestore.rules are too permissive). Status 403/401 means rules properly block; 404 means the collection doesn't exist.
Want a deeper scan with your actual rules file? Run: npx firebase-security ./firestore.rules --project-id <your-id> (free, MIT). Or run the same on Apify: apify.com/perufitlife/firebase-security-auditor.