Here's a little secret. The security rules you, as a Firebase developer, write for your Firebase, are actually server-side validation code. It just doesn't look like typical code, and we've carefully designed them to have a lot of good properties regarding performance, correctness, and analyzability. And we (Firebase) take care of enforcing them for you.
But it /is/ server-side validation, that you as a developer get to specify.
(That said, we're definitely happy to get feedback on our approach from any security experts out there that want to take a look!)
But it /is/ server-side validation, that you as a developer get to specify.
(That said, we're definitely happy to get feedback on our approach from any security experts out there that want to take a look!)