Supabase production-launch security checklist
Supabase exposes more functionality by default than most "BaaS" tools, which is great for prototyping and dangerous for unaudited production launches. These ten checks focus on the project-level configuration, not application code.
10 checks
Tick through each one
Click any item to open the detailed fix guide. The detector tag shows which scanner module flips the state pass or fail when you run a SafeToShip scan.
RLS enabled on every public schema table (no exceptions)
CriticalDetector: supabase
Each table has explicit policies, not bare RLS-enabled state
HighDetector: supabase
Public buckets only contain truly public files
HighDetector: supabase
Private buckets have RLS-equivalent policies
CriticalDetector: supabase
service_role key never reaches the browser
CriticalDetector: js-secrets
JWT secret has been rotated since project creation
LowDetector: tech-detect
Auth providers configured per real product (no leftover test providers)
MediumDetector: tech-detect
Auth email templates send from your verified domain
MediumDetector: email
Rate limit on auth signups (Pro plan supports custom)
MediumDetector: rate-limit
Point-in-time recovery enabled (Pro plan)
LowDetector: tech-detect
Paste this into Supabase
One prompt that runs the entire checklist as a code review pass.
Audit my Supabase project: enable RLS on every public schema table with explicit policies, audit Storage public vs private buckets and add policies on private ones, confirm the service_role key is never used client-side, rotate the project JWT secret if untouched since creation, remove any leftover test auth providers, verify auth email templates send from your verified sending domain (with SPF/DMARC published), configure custom rate limits on auth/signup, and enable point-in-time recovery (Pro plan).FAQ
Frequently asked questions
- Should I rotate the JWT secret on every project?
- If the project was created on a shared dev account, yes — rotating the JWT secret invalidates all existing tokens, forcing fresh sign-in. Plan a brief sign-out window before rotating.
Per-issue depth
Fix guides for this checklist
Supabase RLS disabled
A Supabase table without RLS is readable (and often writable) by anyone with your anon key. Here is exactly how to turn on RLS and write your first policy.
Read moreExposed Supabase service key
The service role key bypasses all security in Supabase. If it is in your client code, an attacker has full database access. Here is how to find and fix it.
Read moreMissing SPF record
Without SPF, anyone can send email that looks like it came from your domain. Here is the one DNS record you need to stop that.
Read moreRun the scan to confirm each check
60 seconds. Free. No account required.