What are the security best practices for Firebase applications?

Comprehensive Firebase security best practices: (1) Never use permissive rules in production — rules like allow read, write: if true expose all data. Always require authentication minimum; (2) Validate data in security rules — check data types, required fields, and value ranges: allow create: if request.resource.data.age is int && request.resource.data.age > 0 && request.resource.data.age < 150; (3) Test security rules — use the Firebase Rules Simulator and @firebase/rules-unit-testing. Deploy rules changes to staging first; (4) Enable App Check — prevent unauthorized API access from scripts and bots; (5) Use Firebase Auth for all user actions — never allow anonymous writes to sensitive collections; (6) Server-side validation in Cloud Functions — don't trust client data; validate in Cloud Functions even if rules allow the write; (7) Audit Admin SDK usage — Admin SDK bypasses security rules; restrict who deploys Cloud Functions; use service accounts with minimum required permissions; (8) Monitor for anomalies — set up budget alerts; monitor read/write rates; high unexpected traffic may indicate a misconfigured rule or a scraping attack; (9) Rotate API keys periodically — Firebase API keys are publicly visible in client code but restrict them in Google Cloud Console by HTTP referer (web) or package name (mobile); (10) HTTPS only — Firebase Hosting enforces HTTPS automatically; use wss:// for Realtime Database.