How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Vulnerability Database

A comprehensive reference of security vulnerabilities found in Supabase, Firebase, and mobile BaaS applications. Each entry includes detection methods, impact analysis, and remediation steps.

SupabaseSupabase Vulnerabilities

Missing Row Level Security Policy

Tables without RLS are fully exposed to any user with the anon key, allowing unrestricted read and write access to all rows.

Critical

RLS Bypass: Unauthorized SELECT

Overly permissive SELECT policies allow users to read data they should not have access to, exposing sensitive information.

High

RLS Bypass: Unauthorized INSERT

Tables allow unauthenticated or cross-user inserts due to missing or overly permissive INSERT policies.

High

RLS Bypass: Unauthorized UPDATE

Tables allow unauthenticated or cross-user updates due to missing or overly permissive UPDATE policies.

High

RLS Bypass: Unauthorized DELETE

Tables allow unauthenticated or cross-user deletes due to missing or overly permissive DELETE policies.

High

Public Table Read Access

Tables are readable by anonymous users through the Supabase API, potentially exposing sensitive data to unauthenticated visitors.

Medium

Public Table Write Access

Tables are writable by anonymous users, allowing unauthenticated visitors to insert, update, or delete data.

High

Authenticated User Data Leak

Authenticated users can read other users' data due to SELECT policies that do not enforce row-level ownership checks.

Medium

Authenticated Cross-User Write Access

Authenticated users can modify or delete other users' data due to write policies lacking ownership checks.

High

Public Storage Bucket Exposure

Supabase storage buckets configured as public allow anyone to access uploaded files without authentication.

Medium

Listable Storage Bucket

Storage bucket contents can be enumerated by anonymous or authenticated users, revealing file names and structure.

Medium

Writable Storage Bucket

Storage bucket allows unauthenticated users to upload, overwrite, or delete files without any access control.

High

Unprotected RPC Function

PostgreSQL functions exposed via the Supabase RPC endpoint can be called without authentication or with insufficient authorization checks.

High

Edge Function Security Issue

Supabase Edge Functions lacking proper authentication checks, input validation, or error handling expose backend logic to abuse.

Medium

Service Role Key Exposure

The Supabase service_role key is exposed in client-side code, granting full database access that bypasses all RLS policies.

Critical

Anonymous Key Misuse

Supabase anon key used without proper RLS policies in place, allowing unauthenticated data access.

Low

FirebaseFirebase Vulnerabilities

Public Firestore Collection

Firestore collections are readable by anyone without authentication due to missing or permissive security rules.

High

Writable Firestore Collection

Firestore collections are writable without authentication, allowing attackers to insert, modify, or delete data.

Critical

Firebase Storage Bucket Exposure

Firebase Cloud Storage bucket is publicly accessible, allowing anyone to list and download files.

Medium

Firebase Security Rules Misconfiguration

Firebase security rules are overly permissive, granting broader access than intended across Firestore, Storage, or Realtime Database.

High

Firebase API Key Exposure

Firebase API key found in client-side JavaScript bundles, which is expected but may indicate broader misconfiguration.

Low

MobileMobile Vulnerabilities

Hardcoded API Keys in APK

API keys and secrets found in decompiled Android APK files through static analysis.

High

Hardcoded API Keys in IPA

API keys and secrets found in iOS application bundles through static analysis of IPA files.

High

Exposed Supabase URL in Mobile App

Supabase project URL found in a mobile app binary, enabling targeted attacks against the backend.

Medium

Service Role Key in Mobile Binary

Supabase service_role key found in a mobile app, granting full admin access that bypasses all RLS policies.

Critical

Mobile App Credential Extraction

Multiple credentials and secrets extractable from a mobile application through static and dynamic analysis.

High

GeneralGeneral Vulnerabilities

Leaked LLM API Keys

OpenAI, Anthropic, or other LLM provider API keys found in client-side JavaScript code.

Critical

Exposed Payment Keys

Stripe secret keys or other payment processor credentials found in client-side code.

Critical

Client-Side Secret Exposure

Generic secrets, tokens, or credentials found in frontend JavaScript bundles or source code.

High

Database Schema Enumeration

Database schema is discoverable through API introspection, revealing table names, columns, and relationships.

Medium