How can I test the security of my Supabase project?

You can test Supabase security by attempting to access your API endpoints with just the anon key and no authentication to check for RLS bypasses. The Supabase Dashboard includes an RLS debugger that lets you simulate queries as different roles. You should also verify that your service_role key is not exposed in any client-side code or public repositories. Testing should include checking storage bucket policies, edge function authentication, and database function permissions. UNPWNED provides automated security scanning that tests all of these vectors and generates a detailed report with specific remediation steps.