rules_version = '2'; service firebase.storage { match /b/{bucket}/o { // Default-deny policy for entire storage registry match /{allPaths=**} { allow read, write: if false; } // Rules for the product-images folder: public read allowed, authenticated writes only match /product-images/{imageId} { allow read: if true; allow write: if request.auth != null && request.resource.size < 5 * 1024 * 1024 // limit size to 5MB && request.resource.contentType.matches('image/.*'); // strictly image MIME types allow delete: if request.auth != null; } } }