How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

API Key Management Checklist

API keys are the most common authentication mechanism for BaaS platforms, third-party services, and internal APIs. Poor key management is one of the top causes of security breaches. This checklist establishes a rigorous approach.

1. Key Classification

Not all keys carry the same risk. Classify every key in your project:

| Category | Example | Exposure Risk | |----------|---------|---------------| | Public | Supabase anon key, Firebase API key | Safe in client code (when restricted) | | Private | Supabase service_role, Stripe secret key | Server-side only | | Admin | Database superuser password, GCP service account | Highly restricted, break-glass only |

This classification drives all subsequent decisions: where the key can be stored, who can access it, and how it should be rotated.

2. Preventing Version Control Exposure

The number one source of key leaks is committing secrets to Git. Implement multiple layers of defense:

.gitignore: Exclude all files that commonly contain secrets.

.env
.env.local
.env.production
*.pem
*-credentials.json

Pre-commit hooks: Use tools like gitleaks or trufflehog to scan staged changes:

# Install gitleaks
brew install gitleaks

# Add as pre-commit hook
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

GitHub Push Protection: Enable GitHub's secret scanning and push protection to block pushes that contain known secret patterns.

3. Secure Storage

For server-side applications:

Environment variables: The minimum standard. Use .env files locally, platform-provided env vars in production (Vercel, Supabase Edge Function secrets, etc.).
Secret managers: For production systems, use a dedicated secret manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault) that provides audit logging, access control, and automatic rotation.

// Supabase Edge Function: access secrets
const stripeKey = Deno.env.get('STRIPE_SECRET_KEY');
if (!stripeKey) throw new Error('STRIPE_SECRET_KEY not configured');

For client-side applications, only embed public keys, and ensure they are restricted (see below).

4. Key Restrictions

Even public keys should be restricted to minimize abuse:

Firebase API keys: In the GCP Console, restrict by HTTP referrer (web) or app fingerprint (mobile), and limit to specific APIs.
Supabase anon key: Restrict what the anon role can access via RLS policies and schema-level grants.
Stripe publishable key: Already restricted to read-only client operations by design, but ensure you are not accidentally using the secret key client-side.

5. Key Rotation

Establish a rotation schedule based on key classification:

| Category | Rotation Frequency | |----------|--------------------| | Admin keys | Every 90 days or on personnel change | | Private keys | Every 90-180 days | | Public keys | On compromise only |

Automate rotation where possible. For Supabase, you can rotate the JWT secret from the dashboard. For Stripe, you can roll API keys with a grace period for the old key.

6. Incident Response for Compromised Keys

If a key is leaked:

Revoke the key immediately in the provider's dashboard.
Rotate to a new key and deploy the update.
Audit usage logs for the compromised key to determine if it was exploited.
Scan for damage: Check for unauthorized data access, created accounts, or financial impact.
Post-mortem: Determine how the leak occurred and add safeguards (better .gitignore, pre-commit hooks, secret scanning).

7. CI/CD Pipeline Security

Never print secrets in build logs. Use masking features provided by your CI platform.
Store secrets in the CI platform's secret storage (GitHub Actions secrets, Vercel environment variables), not in pipeline configuration files.
Scope CI secrets to specific environments (production secrets should not be available in PR preview builds).

8. Monitoring

Set up alerts for unusual API key usage patterns: sudden spikes in requests, requests from unexpected geographies, or calls to endpoints the key should not be accessing. Most BaaS providers offer usage dashboards and alerting.

API Key Management Checklist

Quick Checklist