Audit this Firebase + Vue app for security issues before deploy. Use when asked to "security review", "セキュリティレビュー", "安全性チェック", "デプロイ前チェック", "脆弱性チェック", or after changing rules / functions / auth. Covers Firestore & Storage rules, App Check enforcement, exposed secrets, callable-function auth guards,
Install
mkdir -p .claude/skills/firebase-security-review && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/14707" && unzip -o skill.zip -d .claude/skills/firebase-security-review && rm skill.zipInstalls to .claude/skills/firebase-security-review
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Audit this Firebase + Vue app for security issues before deploy. Use when asked to "security review", "セキュリティレビュー", "安全性チェック", "デプロイ前チェック", "脆弱性チェック", or after changing rules / functions / auth. Covers Firestore & Storage rules, App Check enforcement, exposed secrets, callable-function auth guards, and hosting / CSP headers. Reports findings with severity, file:line, and a concrete fix.About this skill
Firebase security review
Audit the surfaces below. For each finding report severity (High / Med / Low), file:line,
why it matters, and the concrete fix. Verify claims against the code — do not assume.
1. Firestore & Storage rules (firestore.rules, storage.rules)
- Default-deny catch-all present and last? Any
if true/ unauthenticated writes to real data? - Per-user data gated on
request.auth.uid? Write payloads validated (hasOnly, type/size)? - Storage scoped per path, or a blanket
if request.auth != nullover{allPaths=**}? (deep-dive with the firestore-rules skill).
2. App Check
- Callables should enforce App Check — either the
enforceAppCheck: trueoption, or a manual guard that rejects un-attested calls:
Confirm eachif (request.app == undefined) { throw new HttpsError("failed-precondition", "…App Check verified app."); }onCallinfunctions/src/wrappers/enforces this. Without it, callables are reachable by anything holding the public config.
3. Secrets vs. public config
src/config/project.tsfirebaseConfig is public web config — not a leak. Don't flag it.- DO flag: service-account JSON, private keys, API secrets, or tokens committed anywhere, or
secrets hardcoded in
functions/instead of Cloud Secret Manager (defineSecretfromfirebase-functions/params). Grep forPRIVATE KEY,secret,token,.jsoncredential files.
4. Function authorization & input
- Every
onCallthat touches user data must checkrequest.authbefore acting — a signed-out or wrong user must not read/write another's data. - HTTP servers (
functions/functions/server/*hono/express) exposed via hosting rewrites (/api/*,/hono_api/*,/v2_api/*): validate/authorize each route; don't trust the body. - Set sane resource limits in the function options (
maxInstances,timeoutSeconds,memory) to cap abuse/cost.
5. Hosting headers (firebase.json)
- Confirm CSP
frame-ancestors 'none',X-Frame-Options: deny,X-Content-Type-Options: nosniff,Referrer-Policy: no-referrerare still present onsource: "**".
6. Frontend
- No
v-html(XSS); no secrets in client code; auth guards (requireLogin) actually block protected views rather than only hiding UI.
7. Dependencies
yarn npm audit(root andfunctions/) for known-vulnerable packages; note Dependabot alerts.
Output
Group findings by severity, most severe first. If clean, say so explicitly and list what was
checked. Recommend the exact deploy scope for any fix
(firebase deploy --only firestore:rules etc.).