Free Security Tool
App security is like a house.
Are your doors locked, or can anyone come in and steal your data?
Row Level Security
Tests every table for anonymous read, insert, update, and delete access. Flags tables with missing or misconfigured RLS policies.
Hidden Table Discovery
Uses PostgREST PGRST205 error hints to find tables not exposed in your public schema — tables you might not know are accessible.
Storage Buckets
Enumerates all Supabase Storage buckets and checks for public file listing — including file counts and sample filenames.
RPC Functions
Tests each database function for anonymous invocability. Flags functions that can be called without authentication.
Edge Functions
Discovers and probes Supabase Edge Functions to check if they're callable without authentication — revealing your app's serverless API surface.
Service Role Key Leak
Scans all JavaScript bundles for accidentally exposed service_role keys — which bypass all RLS and grant full database access.
Write Access Testing
Safely tests INSERT, UPDATE, and DELETE operations on tables to detect wide-open write policies. All test rows are immediately rolled back.
Supabase tables are publicly accessible by default. If you forget to enable RLS or leave a policy too permissive, anyone with your anon key can read or modify data. The anon key is always visible in your frontend JavaScript.
Your service_role key bypasses all RLS policies. If it leaks into a JavaScript bundle (even in a "server-only" file that gets tree-shaken into the client), attackers get full read/write access to every table.
PostgREST (which powers the Supabase REST API) returns helpful error messages that can reveal table names not in the public schema. Our PGRST205 probe tests 120+ common table names to find hidden tables that might be exposed.
Supabase Storage buckets can be set to public, allowing anyone to list and download all files. This is sometimes intentional (avatars), but often exposes private uploads like documents, invoices, or internal files.
This tool focuses exclusively on Supabase-specific security. For a broader scan that includes API cost exposure, rate limiting gaps, and endpoint fuzzing, try the full LaunchGuard scan.