Supabase Security
Supabase security scanner — test your RLS policies.
Scan your Supabase app for Row Level Security gaps, exposed anon keys, overly permissive policies, and database access misconfigurations — no database password or SDK required.
What a Supabase security scan tests
- RLS enforcement — tables with Row Level Security disabled
- Anonymous access — unauthenticated requests that return protected data
- Anon key exposure — the Supabase anon key leaked in client bundles
- Policy review — permissive policies allowing public write or delete
- Service key exposure — the secret service_role key accidentally in client code
- RLS bypass via Supabase REST API direct calls
- Storage bucket permissions — publicly writable storage buckets
How Supabase RLS bypass works in practice
Supabase exposes a full REST API at your project URL. If RLS is not enabled on a table, anyone with the anon key can read, write, or delete data. Vezraa tests this by:
- Extracting the anon key from your deployed app's client bundle
- Enumerating accessible tables via the Supabase REST API
- Sending unauthenticated SELECT, INSERT, UPDATE, and DELETE requests
- Comparing responses against expected access control behavior
- Flagging every table that responds without proper authentication
Why Supabase security needs the full three-pillar approach
Vezraa is a platform that combines security scanning, autonomous AI pentesting, and production readiness reviews to determine whether software is actually ready for production. For Supabase specifically:
- The scanner finds tables without RLS — the pentester attempts to extract real user data from them
- The scanner flags exposed anon keys — the pentester uses them to probe deeper access
- The readiness review checks Supabase connection pooling, query performance, and backup configuration
Supabase security best practices
- Enable RLS on every table — there is no exception for development tables in production
- Use PL/pgSQL policies with authenticated user checks, not blanket public access
- Never expose the service_role key in client-side code
- Restrict anon key permissions to the minimum required tables
- Enable Row Level Security on storage buckets too
- Regularly audit policies with Vezraa's automated scanner
Scan your Supabase app for RLS gaps in 25 seconds.
Scan My Supabase App →