Skip to content
Picture of Laptop with Angular and Firebase logo on top
Security

Securing Angular Apps That Use Firestore in 2026

A practical guide to securing Angular apps that use Firestore, covering Firebase Auth, Security Rules, App Check, emulator tests, and why route guards are not your security boundary.

Written byAaron Russell
Published
Updated
Reading time4 minute read

Key findings

  • A practical guide to securing Angular apps that use Firestore, covering Firebase Auth, Security Rules, App Check, emulator tests, and why route guards are not your security boundary.
  • Covers Start with the real security boundary, Use Firebase Auth as the identity layer, Write Firestore Security Rules like they matter.
  • Key topics: Angular, Firebase, Firestore, Security.
  • Published April 7th, 2023 and updated June 30th, 2026.
  • 4 minute read.

The most common Firestore security mistake is assuming the frontend is part of the security boundary. It is not. Angular guards, hidden buttons, and client-side role checks can improve the user experience, but they do not protect your data. Real protection lives in Firebase Auth, Firestore Security Rules, App Check, server-side validation, and tests that prove the rules behave the way you think they do.

If I were reviewing an Angular and Firestore app in 2026, this is the order I would work in.

Start with the real security boundary

Anything running in the browser belongs to the user. They can inspect it, bypass it, or replay requests against your backend. That means route guards, disabled UI controls, or “only show this button to admins” logic are not security measures on their own.

They are useful for navigation and product flow. They are not authorisation.

Use Firebase Auth as the identity layer

You need a clear authentication model first. Know who the user is, what providers you support, how sessions are managed, and whether admin or privileged roles are expressed through custom claims or through data your rules can safely inspect.

Auth should answer identity. Rules should answer access.

Write Firestore Security Rules like they matter

Security Rules are the real gatekeeper for Firestore reads and writes. This is where document ownership, tenant boundaries, roles, and field-level restrictions should live.

At a minimum, I want to see:

  • no broad public read or write rules by accident

  • ownership checks for user-scoped documents

  • role or claim checks for elevated actions

  • validation around fields users are allowed to write

  • separation between “can create”, “can update”, and “can delete” where needed

Do not trust Angular guards for data protection

Angular guards are still useful. I use them for routing decisions, onboarding flow, feature access, and making sure users do not wander into pages that make no sense for their current state. But they are not a substitute for backend enforcement.

If a user can still call Firestore directly and your rules allow it, the guard has not protected anything.

Use App Check, but understand what it does

App Check is worth enabling because it helps reduce abuse from unauthorised clients and scripted misuse. It is a good additional layer. It is not a replacement for Security Rules and it should not be treated as one.

Think of it as making abuse harder, not making bad rules safe.

Be deliberate with custom claims and admin actions

If you need admin or staff permissions, custom claims are often the cleanest route. The main thing is to keep privilege assignment controlled and auditable. Avoid inventing role logic purely in frontend state or loosely trusted profile documents.

For sensitive operations, I often prefer moving the action into a trusted backend path such as Cloud Functions or another server-side layer, especially when validation or side effects are non-trivial.

Validate writes, not just reads

A lot of teams think about “who can read this document?” and forget to ask “what exactly can they write?”

Good rules often need to restrict:

  • which fields can be created

  • which fields can be changed later

  • whether ownership fields can be reassigned

  • whether status transitions are allowed

  • whether timestamps and server-controlled values are client-writable

Test rules with the emulator

If the rules are not tested, they are usually less trustworthy than the team thinks. The Firebase Emulator Suite is the right place to prove access behaviour for normal users, admins, anonymous users, cross-tenant access attempts, and malformed writes.

I want tests for both the allowed path and the denied path. Security rules that are only “visually inspected” tend to drift into unsafe territory over time.

Use server-side validation when the workflow is sensitive

Not every operation should be a direct client write. If an action affects billing, moderation, access control, invitations, approvals, or anything with business-critical consequences, a trusted backend flow is often the safer design. Firestore is powerful, but not every business rule belongs in direct client mutations.

Common mistakes I still see

  • assuming hidden UI equals protection

  • allowing authenticated users to read or write too broadly

  • storing roles in documents without protecting how those roles are changed

  • forgetting to validate updated fields, not just document existence

  • never testing rules against the emulator

  • treating App Check as the main defence

How this fits with platform choice

This is one of the trade-offs that matters in the broader Firebase conversation. Firebase is still excellent for shipping quickly, but its security model rewards teams that take the rules layer seriously. If your team wants a more relational backend with conventional server boundaries, that is one reason a platform like Supabase may feel more natural. I cover that in my BaaS comparison.

What I would do on a real project

  • Define auth and user roles clearly.

  • Model document ownership and tenant boundaries explicitly.

  • Write Firestore Security Rules first for sensitive collections.

  • Use Angular guards for UX, not trust.

  • Enable App Check.

  • Move high-risk mutations behind server-side logic.

  • Test the rules in the emulator and keep those tests in CI.

Bottom line

Securing an Angular app that uses Firestore is mostly about respecting where the trust boundary actually is. The browser is not trusted. The rules layer is. Once a team internalises that, the architecture gets much safer very quickly.

Related posts

Keep reading