Supabase Security

Supabase Security Scanner

Automatically test your Row Level Security policies and find data exposure vulnerabilities before attackers do.

Scan Your Supabase AppLearn About RLS

Your Supabase Anon Key is Public

Every Supabase app exposes the anon key in client-side JavaScript. This is by design—but without proper Row Level Security, anyone can use it to read, modify, or delete ALL your data.

// An attacker opens DevTools and runs:

const { data } = await supabase.from('users').select('*');

// Without RLS: Returns ALL user data

What We Scan For

RLS Policy Testing

We actively query your tables using the anon key to verify RLS policies are working. If we can read data, so can attackers.

Table Exposure Detection

Automatically discovers exposed tables and reports exactly which ones are leaking data and what fields are accessible.

Auth Configuration

Checks your Supabase Auth setup for weak password policies, missing email confirmation, and insecure redirect URLs.

Storage Bucket Security

Tests storage bucket policies to ensure uploaded files aren't publicly accessible when they shouldn't be.

How It Works

1

Enter Your URL

Paste your Supabase app URL. We automatically detect your Supabase project.

2

Automatic Discovery

Our scanner finds your Supabase URL and anon key from your frontend code.

3

Active Testing

We query your database tables using the anon key, exactly like an attacker would.

4

Get Results

Receive a detailed report showing exposed tables, missing RLS, and exact fixes.

What You'll Get

List of all exposed database tables
Exact fields that are accessible
Sample data proving the exposure
SQL commands to enable RLS
Policy templates for common patterns
Step-by-step remediation guide
AI-ready markdown export
Re-scan to verify fixes

Frequently Asked Questions

Is my Supabase anon key exposed? Is that a security risk?

Your Supabase anon key is visible in your frontend JavaScript - this is expected and by design. The anon key itself isn't a secret. However, without Row Level Security (RLS) enabled, anyone with that key can read ALL your data. Use VAS to test if your tables are actually protected.

Why is my Supabase RLS not working?

Common reasons RLS fails: 1) RLS is enabled but no policies are defined (blocks everything), 2) Policies use auth.uid() but users aren't authenticated, 3) Policies have logic errors allowing unintended access. VAS tests your actual RLS configuration by querying tables like an attacker would.

How do I fix Supabase data exposure vulnerability?

First, enable RLS on all tables with sensitive data: ALTER TABLE your_table ENABLE ROW LEVEL SECURITY. Then create policies defining who can access what. VAS scan results include the exact SQL commands needed to secure your specific exposed tables.

Can someone hack my Supabase database with the anon key?

If RLS isn't properly configured, yes - anyone can use your anon key to read, insert, update, or delete data. The anon key is public by design; your database security depends entirely on RLS policies. Run a VAS scan to find out if your data is exposed.

Supabase security best practices for production apps

Enable RLS on ALL tables, create restrictive policies (deny by default), use auth.uid() to scope data to users, never expose service_role key in frontend, validate inputs server-side, and regularly test your RLS with tools like VAS to catch misconfigurations.

Secure Your Supabase App Today

Don't wait for a data breach. Find out exactly which tables are exposed and get the SQL to fix them.

Start Free Scan

Free scan checks security headers. Full scan tests RLS policies.

Learn More About Supabase Security

Supabase RLS Complete GuideLovable Security GuideRLS Checker Tool