Supabase security

Is Supabase secure?

Supabase is incredible. Without RLS, it's also a public read.

Supabase ships the easiest auth + database + storage stack ever. The default tradeoff: your anon key is public (by design), so anything not protected by Row Level Security is readable by anyone with your URL. The good news — it's fixable in minutes if you can see what's exposed.

Run a free scan

Get a graded security report for your Supabase app in under a minute.

Scan my Supabase app

Why Supabase apps are commonly at risk

The anon key is in your JS bundle. That's normal. What's not normal is leaving tables readable from it.
Many apps disable RLS during development and forget to re-enable it before production.
Service-role keys sometimes get committed to the client bundle by mistake — that's catastrophic.
Storage buckets often default to public when devs are debugging upload flows.
Edge functions can expose internal endpoints if `verify_jwt` is off.

Top security risks in Supabase apps

Tables without Row Level Security

high

Every table queryable from the client must have RLS on. CheckVibe enumerates and verifies.

Service-role key in client bundle

high

A service-role key bypasses RLS. If it's in your JS, every user has admin access to your database.

Public Storage buckets

high

Public buckets are fine for user avatars; they're catastrophic for invoices, contracts, or user uploads.

Edge functions without JWT verification

medium

An edge function with `verify_jwt = false` is callable by anyone.

Anonymous sign-ups enabled but unmonitored

low

Trivial to spam your auth table to exhaust your free tier.

How to fix Supabase security gaps

Run `SELECT tablename FROM pg_tables WHERE NOT relrowsecurity AND schemaname = 'public';`

Any row returned is a table missing RLS. Enable it.

Grep your bundle for `service_role`

If it exists, rotate the key immediately and move all admin calls server-side.

Audit storage bucket policies

Public-read should be the rare exception. Default to authenticated-read.

Enable `verify_jwt` on every edge function unless you specifically need anonymous access

Set in `supabase/config.toml`.

FAQ

Is Supabase secure for production?

Yes, when you use it correctly. The biggest risk is leaving Row Level Security off on tables the client queries.

How do I know if my Supabase RLS is correct?

CheckVibe enumerates your tables and probes each with the anon key. If we can read data we shouldn't, we tell you.

What's the worst Supabase mistake?

Putting the service-role key in client code. It bypasses all RLS. CheckVibe scans bundles for it.