How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Firebase API Key Exposure

What Is This Vulnerability

Firebase API Key Exposure refers to the detection of Firebase API keys in client-side code, bundled JavaScript, or public repositories. Unlike most API keys, Firebase API keys are designed to be public. They identify your Firebase project but do not grant privileged access on their own. The real risk is not the key itself but what the key enables when security rules are misconfigured.

This is rated low severity because the key alone is not a secret. However, its presence in client code confirms the use of Firebase and provides attackers with the project ID and configuration needed to probe for deeper vulnerabilities.

Why It's Dangerous

While the API key itself is not secret, its exposure enables:

Project identification — attackers can determine your Firebase project ID and target it for further scanning.
Unauthenticated API access — combined with permissive security rules, the key allows direct Firestore, Storage, and Auth API calls.
Abuse of Firebase Auth — attackers can create accounts, enumerate users, or trigger password reset floods using your project's Auth API.
Quota exhaustion — attackers can make high-volume API calls that consume your Firebase quotas and increase billing.

The key becomes dangerous when it is the only barrier between an attacker and your data. If your security rules are allow read, write: if true, the API key is effectively an access token.

How to Detect

Search your client-side JavaScript bundles for Firebase configuration:

// Typical Firebase config object found in client bundles
const firebaseConfig = {
  apiKey: "AIzaSyB1234567890abcdefghijklmnop",
  authDomain: "myapp-12345.firebaseapp.com",
  projectId: "myapp-12345",
  storageBucket: "myapp-12345.appspot.com",
  messagingSenderId: "123456789",
  appId: "1:123456789:web:abcdef123456"
};

Use browser DevTools to search for apiKey in the Sources tab, or scan the page source:

curl -s https://example.com | grep -o 'AIza[0-9A-Za-z_-]\{35\}'

AuditYour.app extracts Firebase configuration from page source and JavaScript bundles, then uses the API key to test whether security rules are properly configured.

How to Fix

Since Firebase API keys are public by design, the fix is to ensure they cannot be abused:

Lock down security rules — ensure Firestore, Storage, and Realtime Database rules enforce authentication and authorization.
Restrict the API key in the Google Cloud Console:

Google Cloud Console > APIs & Services > Credentials
> Select your Firebase API key > Application restrictions
  - HTTP referrers: add your domain (e.g., *.myapp.com/*)
> API restrictions
  - Restrict to only the Firebase APIs your app uses

Enable App Check to verify requests come from your legitimate app:

import { initializeAppCheck, ReCaptchaV3Provider } from 'firebase/app-check';

const appCheck = initializeAppCheck(app, {
  provider: new ReCaptchaV3Provider('YOUR_RECAPTCHA_SITE_KEY'),
  isTokenAutoRefreshEnabled: true,
});

Monitor usage — set up billing alerts and quota limits in the Google Cloud Console to detect abuse early.

Firebase API Key Exposure

What Is This Vulnerability

Why It's Dangerous

How to Detect

How to Fix

Scan your app for this vulnerability

Related

Firebase Security Rules Misconfiguration

Client-Side Secret Exposure