How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Writable Firestore Collection

What Is This Vulnerability

Writable Firestore Collection is a critical vulnerability where Cloud Firestore security rules allow unauthenticated or unauthorized users to create, update, or delete documents. This occurs when rules contain allow write: if true; or when wildcard matches grant broad write access without verifying the caller's identity.

Unlike read-only exposure, writable collections allow attackers to actively corrupt your data, inject malicious content, or delete critical records.

Why It's Dangerous

An attacker with write access to Firestore can:

Inject malicious data — insert XSS payloads, phishing links, or offensive content into user-facing collections.
Modify existing records — alter prices, change user roles, or tamper with transaction amounts.
Delete documents — wipe entire collections, causing data loss and service disruption.
Exhaust billing quotas — flood collections with millions of documents, running up Firebase costs.
Escalate privileges — if user roles or permissions are stored in Firestore, an attacker can grant themselves admin access.

This is rated critical because it allows direct data manipulation without any authentication barrier.

How to Detect

Attempt an unauthenticated write using the Firestore REST API:

curl -X POST \
  "https://firestore.googleapis.com/v1/projects/PROJECT_ID/databases/(default)/documents/COLLECTION" \
  -H "Content-Type: application/json" \
  -d '{
    "fields": {
      "test": { "stringValue": "audit_probe" }
    }
  }'

If the response returns a document reference instead of a PERMISSION_DENIED error, the collection is writable. Review your security rules for patterns like:

// CRITICAL: Anyone can write to any document
match /{document=**} {
  allow read, write: if true;
}

AuditYour.app performs non-destructive write probes against known collection patterns and immediately flags writable endpoints.

How to Fix

Implement strict write rules with authentication and data validation:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    match /users/{userId} {
      allow read: if request.auth != null && request.auth.uid == userId;
      // Only the owner can write, with field validation
      allow write: if request.auth != null
        && request.auth.uid == userId
        && request.resource.data.keys().hasOnly(['displayName', 'bio', 'avatarUrl'])
        && request.resource.data.displayName is string
        && request.resource.data.displayName.size() <= 100;
    }

    match /messages/{messageId} {
      // Only authenticated users can create messages
      allow create: if request.auth != null
        && request.resource.data.authorId == request.auth.uid
        && request.resource.data.text.size() <= 5000;
      // Only the author can update or delete
      allow update, delete: if request.auth != null
        && resource.data.authorId == request.auth.uid;
    }

    // Deny everything else
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

Always validate incoming data shapes and sizes in your rules. Never trust client-submitted data without server-side or rule-level validation.

Writable Firestore Collection

What Is This Vulnerability

Why It's Dangerous

How to Detect

How to Fix

Scan your app for this vulnerability

Related

Public Firestore Collection

Firebase Security Rules Misconfiguration