Supabase Security Guide
Q&ASupabase
Is Supabase secure by default?
Supabase is not fully secure by default. When you create a new table, RLS is disabled, meaning the table is accessible to anyone with your project URL and anon key. The anon key is designed to be public and is embedded in client-side code, so it provides no protection on its own. Supabase relies on developers to explicitly enable RLS and write appropriate policies for each table. Storage buckets also default to private but require proper policies to enforce access control. UNPWNED scans your Supabase project to identify tables and storage buckets that lack proper security policies.
Check your Supabase app now
Run free security scanLast reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.
More Supabase Security Questions
What is Row Level Security (RLS) in Supabase and why does it matter?How do I check if RLS is enabled on my Supabase tables?Can Supabase data be accessed without authentication?What is the difference between the Supabase service_role key and the anon key?How do I secure Supabase Storage buckets?How secure are Supabase Edge Functions?