Built with Supabase?

Security scanning for Supabase apps

Supabase gives you a Postgres database in minutes, but the default RLS policies are wide open. Most Supabase apps we scan have at least one table anyone can read.

Free scan. No account required.

Common issues

Top vulnerabilities in Supabase apps

These are the three most common security issues we find when scanning Supabase projects.

Tables with disabled Row Level Security letting anyone query your data

Service role key exposed in client-side JavaScript bundles

Missing email security records (SPF, DKIM, DMARC) on your domain

How it works

60-second security audit

01

Paste your URL

Enter your Supabase app URL. We handle the rest.

02

Get your score

10 security modules run in parallel against your live site.

03

Fix with AI prompts

Copy the fix prompts into your AI tool and ship secure.

10 security modules, one scan

Every scan checks security headers, SSL/TLS, exposed files, JavaScript secrets, Supabase & Firebase configs, CORS, cookies, email security, and tech detection.

See all security checks

Fix guides for Supabase

Common Supabase security fixes

Supabase RLS disabled

A Supabase table without RLS is readable (and often writable) by anyone with your anon key. Here is exactly how to turn on RLS and write your first policy.

Read more

Exposed Supabase service key

The service role key bypasses all security in Supabase. If it is in your client code, an attacker has full database access. Here is how to find and fix it.

Read more

Missing SPF record

Without SPF, anyone can send email that looks like it came from your domain. Here is the one DNS record you need to stop that.

Read more

Missing DMARC record

DMARC tells receiving mail servers what to do with email that fails SPF or DKIM — quarantine, reject, or nothing. Here is how to set it up.

Read more

Missing DKIM record

DKIM signs your outgoing email so receivers can verify it was not tampered with. Here is how to enable it through your email provider.

Read more

FAQ

Supabase security FAQ

What is the single most important Supabase security check?
RLS on every public-schema table. If RLS is off, the anon key = full database access. Supabase will warn you in the dashboard when a table has RLS disabled.
Do I need to write RLS policies if I only query through a backend?
No — if you exclusively use the service role key from server code and never expose the anon key. Most Supabase apps use the anon key directly from the browser, so RLS is required.

Scan your Supabase app now

Find security issues before your users do. It takes 60 seconds and your first scan is free.