Skip to content
Supabase Security

Supabase security scanner — test your RLS policies.

Scan your Supabase app for Row Level Security gaps, exposed anon keys, overly permissive policies, and database access misconfigurations — no database password or SDK required.

What a Supabase security scan tests

  • RLS enforcement — tables with Row Level Security disabled
  • Anonymous access — unauthenticated requests that return protected data
  • Anon key exposure — the Supabase anon key leaked in client bundles
  • Policy review — permissive policies allowing public write or delete
  • Service key exposure — the secret service_role key accidentally in client code
  • RLS bypass via Supabase REST API direct calls
  • Storage bucket permissions — publicly writable storage buckets

How Supabase RLS bypass works in practice

Supabase exposes a full REST API at your project URL. If RLS is not enabled on a table, anyone with the anon key can read, write, or delete data. Vezraa tests this by:

  • Extracting the anon key from your deployed app's client bundle
  • Enumerating accessible tables via the Supabase REST API
  • Sending unauthenticated SELECT, INSERT, UPDATE, and DELETE requests
  • Comparing responses against expected access control behavior
  • Flagging every table that responds without proper authentication

Why Supabase security needs the full three-pillar approach

Vezraa is a platform that combines security scanning, autonomous AI pentesting, and production readiness reviews to determine whether software is actually ready for production. For Supabase specifically:

  • The scanner finds tables without RLS — the pentester attempts to extract real user data from them
  • The scanner flags exposed anon keys — the pentester uses them to probe deeper access
  • The readiness review checks Supabase connection pooling, query performance, and backup configuration

Supabase security best practices

  • Enable RLS on every table — there is no exception for development tables in production
  • Use PL/pgSQL policies with authenticated user checks, not blanket public access
  • Never expose the service_role key in client-side code
  • Restrict anon key permissions to the minimum required tables
  • Enable Row Level Security on storage buckets too
  • Regularly audit policies with Vezraa's automated scanner

Scan your Supabase app for RLS gaps in 25 seconds.

Scan My Supabase App →

Related

Supabase Security Scanner — Vezraa | Vezraa