We’re constantly working to improve the security of Firebase-powered apps. To this end, starting on February 4th, we will be requiring that all Firebase database traffic uses SSL.

The following changes will take effect on February 4th:

  1. We’ll be updating our JavaScript clients to always use SSL, regardless of the protocol specified in the Firebase database URL.
  2. We’ll be disabling the non-HTTPS endpoint for our REST API and all other services.

To prepare for this switch, you must ensure that all Firebase database references in your apps begin with https://. This is especially important for apps that use the REST API or Node.js client, as they will no longer work after the switch is made.

We are making this change because we believe your data should be encrypted by default. This has become standard practice for leading technology products like Gmail, Facebook and Twitter, and we think it’s important for every Firebase app as well. By requiring SSL (and no longer supporting unencrypted traffic) we’re protecting developers from accidentally exposing their users’ private data.

Thanks for building your app with us and we look forward to serving you over the coming years. As always, comments and feedback are welcome.