Supabase Security Scanner

Sahil AhluwaliaSahil Ahluwalia
2 min read

Auditing Supabase Security: How to Detect Misconfigurations Before Hackers Do

Supabase makes it easy to build full-stack apps with a Postgres backend. But with great simplicity comes a common problem: misconfigured policies that can expose your data to the public internet.

This post explains how to audit your Supabase project for security flaws and why it matters.

Why Security Auditing Is Critical

When you create a Supabase project, two keys are generated:

  • Anon Key – Used by the client for public access.

  • Service Role Key – Full access to the database.

If the wrong policies are set or Row Level Security (RLS) is disabled, anyone with the anon key can:

  • Query sensitive tables.

  • Insert or delete data.

  • Call functions you never intended to expose.

What to Check in a Supabase Project

1. Row Level Security (RLS)

RLS is OFF by default. Enabling it is the single most important security step.

Check:

SELECT relname, relrowsecurity FROM pg_class WHERE relrowsecurity = false;

If any table shows false, that table is wide open.

2. Public Read/Write Access

Supabase uses PostgREST. If your policies are missing or too broad, anon key can perform:

GET /rest/v1/{table}?select=*
POST /rest/v1/{table}
PATCH /rest/v1/{table}

Test these with the anon key. If you can write or read everything, you have a problem.

4. Accidental Service Role Exposure

Never embed service_role key in the frontend. It gives full database access without restrictions.

Automating the Audit

Manual checks are time-consuming. That’s why we built Supabase Security Auditor:

  • Input your Supabase URL & anon key.

  • It tests for:

    • RLS status.

    • Public read/write access.

  • Generates a report with a detailed stats

Best Practices

  • Always enable RLS.

  • Define explicit policies for every table.

  • Never put service_role key in frontend clients.

  • Regularly audit your database. Misconfigurations happen during rapid development.

Final Word

Supabase is a great tool, but security is your responsibility. One misconfigured policy can lead to a catastrophic data leak. Automate your audits and ship with confidence.

🔗 Check the GitHub ProjectSupabase-RLS-Checker

0
Subscribe to my newsletter

Read articles from Sahil Ahluwalia directly inside your inbox. Subscribe to the newsletter, and don't miss out.

supabaseSecurity

Written by

Sahil Ahluwalia
Sahil Ahluwalia