What People Actually Say About Supabase Security
Last updated: June 30, 2026
What developers report on Reddit, X, and forums about Supabase security, checked against what we actually find when we scan Supabase apps.
The Consensus
Platform trusted, configuration riskyThe community verdict on Supabase is consistent: the platform itself is trusted and well-engineered, and almost every real-world breach traces back to one thing the developer skipped, Row Level Security. The arguments online are rarely about Supabase being insecure; they are about people shipping tables with RLS disabled and the public anon key doing exactly what it is allowed to do.
What Keeps Coming Up
The recurring Supabase security themes developers raise, and what our own scans show about each one.
Is the anon key safe to expose?
The most repeated question. The consensus answer is correct: the anon key is public by design and safe to ship, as long as Row Level Security is enabled. People get burned when they treat RLS as optional.
We confirmed this empirically. The anon key was never the vulnerability. The exposure was always RLS being off, which turns that public key into full read or write access.
RLS is the whole ballgame
Experienced developers repeat that 'RLS off equals public database.' Newer builders, especially those using AI tools, frequently don't realize their tables shipped without it.
Supabase was the number one source of critical findings in our scans. We found readable tables exposing bank account numbers, patient access codes, OAuth tokens, and audit logs, plus more than 50 tables that accepted writes from anyone.
Unprotected RPC functions and Edge Functions
A quieter but growing thread: stored procedures and Edge Functions that get called with the anon key because nobody added an auth check.
We found sensitive functions callable by anyone, with names like get_admin_user_id, generate_license_key, and generate_transfer_token, plus Edge Functions like send-email and stripe-webhook with no authentication.
Worried about your own Supabase app?
Run a free scan and get your overall security score, what you're already doing right, and your single most serious issue in about 2 minutes. Unlock the full report with a copy-paste fix for every finding for $5, or run a full Deep Scan for $19.
Scan your Supabase app freeNo credit card to scan. Your score and top issue are free.
What Developers Praise & Warn About
Commonly Praised
- Strong, well-documented platform with SOC 2 compliance
- RLS is powerful once you understand it
- Generous free tier and great developer experience
- Postgres underneath, so no proprietary lock-in on the data model
Common Complaints
- RLS is easy to forget and the default feels permissive to beginners
- AI tools scaffold tables without policies and never warn you
- The PostgREST API exposes your whole schema by design, which surprises people
- Easy to confuse the anon key (public) with the service_role key (never public)
What We Found Scanning Supabase Apps
Supabase appeared in roughly a third of every vibe-coded app we scanned, and it produced more critical and high-severity findings than any other backend.
Readable tables exposed real data: account numbers, patient access codes, stored OAuth tokens, and admin audit logs.
More than 50 distinct tables accepted unauthenticated INSERTs, including tables named payments, orders, and transactions.
Sensitive RPC functions were callable with the public key, including admin and license-generation functions.
Apps detected as Supabase-primary averaged the highest critical-finding count of any platform we measured.
The Bottom Line
Supabase is a genuinely secure platform that is easy to deploy insecurely. The community is right that the anon key is fine and RLS is everything. The gap is that AI builders scaffold tables without policies, so the safest assumption is that your RLS is not what you think it is until you have tested every table from an anonymous client. That single check prevents the large majority of what we find.
Frequently Asked Questions
Is Supabase safe according to Reddit and the developer community?
The consensus is yes, the platform is safe and widely trusted. The caveat everyone repeats is that you must enable Row Level Security on every table. Nearly all real Supabase incidents come from RLS being disabled, not from a flaw in Supabase itself.
Is it safe to expose the Supabase anon key?
Yes. The anon key is public by design and meant to ship in client code. It is only dangerous when Row Level Security is off, because then the key can read or write tables freely. With RLS enabled, exposing the anon key is expected and safe.
What is the most common Supabase security mistake?
Shipping tables with Row Level Security disabled, or with an overly permissive policy. In our scans this single mistake exposed sensitive tables in app after app and accounted for most of the critical findings.
Stop Guessing About Your Supabase App
Forum advice is a starting point. A scan gives you your Supabase app's real security score and biggest risk in minutes; unlock the full report with copy-paste fixes for $5.
More on Supabase Security
Every angle of Supabase security — from the specific findings we detect to step-by-step fixes.
Supabase Security Scanner
Hub page: scan your Supabase app for vulnerabilities.
Supabase Security Risks
Specific risks we find in Supabase apps, with real-world examples.
Supabase Security Issues
Issues grouped by severity with detection and fix steps.
Supabase Best Practices
Remediation playbook derived from Supabase's actual failure modes.
Is Supabase Safe?
Honest assessment of Supabase's production readiness.
Supabase Security Checklist
Pre-launch checklist covering every finding class for Supabase.
How to Secure Supabase Apps
Step-by-step hardening guide for Supabase deployments.
Can Supabase Apps Be Hacked?
Attack vectors specific to Supabase and how they get exploited.