What is Supabase?

Supabase is an open-source backend-as-a-service that gives you a Postgres database, authentication, storage, and real-time features via HTTP APIs. It uses Row Level Security (RLS) to keep data safe when the anon key is exposed in client code.

In more detail

Supabase shines because the frontend can talk to the database directly through `supabase-js`, skipping the need for a separate backend. The anon key is public by design — it identifies your project, not grants permissions. Permissions come from RLS policies you write in SQL.

The security rule is simple: RLS on, always. Every public-schema table must have RLS enabled before going to production.

Why this matters

Why builders care

Supabase is the most common backend for AI-built apps (Lovable, Bolt, Cursor). It is also the most common source of critical security findings — RLS-off tables, leaked service role keys, open storage buckets.

Fix guides

Fix Supabase issues

Supabase RLS disabled

A Supabase table without RLS is readable (and often writable) by anyone with your anon key. Here is exactly how to turn on RLS and write your first policy.

Read more

Exposed Supabase service key

The service role key bypasses all security in Supabase. If it is in your client code, an attacker has full database access. Here is how to find and fix it.

Read more

Related terms

Keep learning

Row Level Security

RLS is a Postgres feature that Supabase uses to enforce per-row access control. With RLS off, the anon key gives anyone full table access.

Read more

See where your site stands

Paste a URL, get a score in 60 seconds. Free, no signup.