Skip to main content
backend

IS SUPABASE SAFE?

Supabase provides a powerful Postgres backend with authentication, storage, and real-time capabilities. However, its permissive defaults mean developers must explicitly lock down Row Level Security, API keys, and storage policies to prevent unauthorized data access.

72%
No CSP header
74%
No rate limiting
47%
No DMARC
447+
Sites analyzed
Scan your Supabase app free

TOP SECURITY RISKS

critical

Missing RLS Policies

Tables without Row Level Security allow any authenticated or anonymous user to read, write, and delete all data through the public API. This is the most common and critical Supabase misconfiguration.

critical

Service Role Key Exposed in Client-Side Code

The service_role key bypasses all RLS policies and grants full database access. If leaked in browser JavaScript, bundle files, or public repositories, attackers gain unrestricted control over your entire database.

high

Storage Buckets Without Access Policies

Storage buckets that lack access policies allow any user to upload, download, or delete files. Sensitive documents, user uploads, and private assets become publicly accessible.

high

Unprotected RPC Functions

Database functions exposed via the RPC endpoint without input validation or auth checks can be called directly by anonymous users, potentially allowing data manipulation or privilege escalation.

medium

Missing Email Confirmation on Auth

Without email confirmation enabled, attackers can create accounts with any email address and immediately access authenticated resources. This enables account impersonation and spam registrations.

SECURITY CHECKLIST

Enable RLS on every table and write restrictive policies that scope queries to the authenticated user
Never expose the service_role key in client-side code, NEXT_PUBLIC_ variables, or public repositories
Configure storage bucket policies to restrict uploads and downloads based on user identity and file ownership
Validate all inputs to RPC functions and enforce authentication checks within the function body
Enable email confirmation in Authentication settings to prevent fake account creation
Use the anon key exclusively on the client side and keep the service_role key server-only
Add rate limiting to Edge Functions and API endpoints to prevent abuse and brute-force attacks
Review and restrict auth redirect URLs to your own domains to prevent open redirect attacks
UNPWNED checks all of the above automatically with 700+ security tests.

SCAN YOUR SUPABASE APP

700+ security checks. AI-powered fix prompts. Results in under 2 minutes. Free, no credit card required.

Run free security scan

FREQUENTLY ASKED QUESTIONS

Is Supabase secure by default?

No. Supabase creates tables with RLS disabled by default, meaning any user with your anon key can read and write all data. You must explicitly enable RLS and write policies for every table before going to production.

What is Row Level Security (RLS)?

RLS is a Postgres feature that lets you define policies controlling which rows each user can select, insert, update, or delete. In Supabase, RLS is the primary mechanism for data protection since the API is publicly accessible.

How do I check if RLS is enabled on my tables?

Go to the Table Editor in your Supabase dashboard and look for the RLS badge on each table. You can also run the SQL query SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public' to see which tables have RLS enabled.

Is it safe to expose the Supabase anon key in the browser?

Yes, the anon key is designed to be public and works like an API key that identifies your project. It only grants access allowed by your RLS policies. The danger is exposing the service_role key, which bypasses all RLS and grants full database access.

How do I protect Supabase Edge Functions?

Add authentication checks at the start of each function by verifying the JWT from the Authorization header. Validate and sanitize all input parameters, add rate limiting, and use the service_role client only for operations that genuinely need elevated privileges.

Data based on 447+ website scans. Last updated: 2026-04-06. Statistics reflect aggregate findings across all scanned websites, not Supabase exclusively.

MORE PLATFORM GUIDES

LovableBolt.newCursorReplitv0.devWindsurfFirebaseVercel