Framer + Supabase Security
Framer's design-first approach combined with Supabase enables dynamic, data-driven sites. Security requires proper RLS and credential management.
Why Framer + Supabase?
Framer developers use Supabase to add dynamic content, user authentication, and CMS-like functionality to their design-forward sites.
Common Vulnerabilities
These are the security issues we find most often in Framer apps using Supabase.
Client-Side API Keys
Supabase credentials in Framer components are exposed in the client bundle.
No RLS on Content Tables
CMS-style content tables may lack RLS, exposing all content even if some should be private.
Service Key Usage
Tutorials may suggest service_role key for simplicity, bypassing all security.
User Data Without Policies
User-submitted data (forms, profiles) may lack ownership-based access control.
What We Check for Framer + Supabase
Credential Review
Verify only anon key is used, not service_role.
RLS on All Tables
Check that RLS is enabled on every table with user data.
Public vs Private Content
Review which content should be public and configure RLS accordingly.
Form Submission Security
Verify form data is protected with appropriate RLS policies.
Quick Security Wins
Apply these fixes right now to improve your security.
Use anon key only - service_role key should never be in FramerEnable RLS on all tables containing dynamic contentCreate public read policies for CMS content: USING (true)Create ownership policies for user data: USING (auth.uid() = user_id)Use Supabase Edge Functions for sensitive operationsThe Bottom Line
Framer + Supabase is great for dynamic sites when RLS is properly configured. Anon key exposure is expected - security comes from RLS policies.
Secure Your Framer + Supabase App
Find Row Level Security misconfigurations, exposed credentials, and other vulnerabilities before attackers do.
Start Security ScanFrequently Asked Questions
Is it safe to have Supabase anon key in my Framer site?
Yes, the anon key is designed to be public. Security comes from Row Level Security (RLS) policies, not key secrecy. Configure RLS to control what authenticated and unauthenticated users can access. Never use the service_role key in Framer.
How do I add authentication to my Framer + Supabase site?
Use Supabase Auth with custom Framer components. Implement sign-up/sign-in flows that call Supabase Auth methods. Store the session token and use it for authenticated API calls. RLS policies will then properly restrict data based on the authenticated user.
Should CMS content tables have RLS enabled?
Yes, enable RLS on all tables. For public content, add a policy: 'allow select using (true)'. For draft/private content, add: 'allow select using (status = ''published'')'. This prevents unpublished content from being accessed via the API.
How do I protect form submissions in Framer with Supabase?
Enable RLS on the submissions table. Add insert policy allowing anonymous submissions if needed. Add select/update/delete policies requiring authentication and ownership. Consider using Supabase Edge Functions for additional validation before inserting data.