Firebase · Authenticationintermediate

Firebase Project Config (firebase.json)

A firebase.json wiring up Hosting with SPA rewrites and cache headers, plus Firestore and emulator settings — a typical web-app deploy config.

firebasehostingfirestoreconfigdeploy

Preview

{
  "hosting": {
    "public": "dist",
    "ignore": [
      "firebase.json",
      "**/.*",
      "**/node_modules/**"
    ],
    "rewrites": [
      {
        "source": "**",
        "destination": "/index.html"
      }
    ],
    "headers": [
      {
        "source": "**/*.@(js|css|woff2)",
        "headers": [
          {
            "key": "Cache-Control",
            "value": "max-age=31536000, immutable"
          }
        ]
      }
    ]
  },
  "firestore": {
    "rules": "firestore.rules",
    "indexes": "firestore.indexes.json"
  },
  "emulators": {
    "auth": {
      "port": 9099
    },
    "firestore": {
      "port": 8080
    },
    "hosting": {
      "port": 5000
    },
    "ui": {
      "enabled": true
    }
  }
}

AI actions

Documentation

Purpose

Describe how the Firebase CLI deploys a project — hosting rewrites, headers, Firestore rules, and local emulators.

When to use

Deploying a single-page app to Firebase Hosting with Firestore, and running the local emulator suite during development.

Required fields

  • No single field is required — you include only the products you use (hosting, firestore, functions…).

Optional fields

  • hosting.rewrites — SPA fallback to index.html
  • hosting.headers — cache-control and security headers
  • firestore.rules / indexes — database config files
  • emulators — local ports for the emulator suite

Best practices

  • Use a catch-all rewrite to index.html for client-side routing.
  • Set long cache lifetimes on hashed static assets, short on HTML.
  • Keep security rules in a separate firestore.rules file, referenced here.

Security considerations

  • firebase.json is safe to commit — it holds no secrets or API keys.
  • Your real security boundary is firestore.rules, not this file.