FixVibe

// code / spotlight

Supabase RLS in Migrations

A public table without RLS is a future data leak.

Der Köder

Supabase's anon key is meant to ship to browsers. The database boundary is Row Level Security. When a migration creates a public table and never enables RLS, the app is relying on route handlers and client code to remember authorization forever.

So funktioniert's

The repo check parses SQL migration files, records `CREATE TABLE` statements for public-schema tables, and verifies each one has a matching `ALTER TABLE ... ENABLE ROW LEVEL SECURITY` statement somewhere in the repository. Non-public Supabase schemas such as `auth`, `storage`, and `realtime` are ignored.

Die Auswirkungen

A missing RLS migration may not leak data on day one, but it removes the database-enforced guardrail before the table starts holding user records, billing data, profile data, or internal workflow state. Once the table is exposed through Supabase's REST API, the public anon key becomes enough to test it.

// was fixvibe prĂŒft

Was FixVibe prĂŒft

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Wasserdichte Verteidigung

Add a follow-up migration for each affected table: `alter table public.<table> enable row level security;` and usually `alter table public.<table> force row level security;`. Then add least-privilege policies for each operation the app needs, scoped by `auth.uid()` or by server-only service-role routes. For sensitive server-only data, prefer a non-public schema.

// lass es auf deiner eigenen App laufen

Ship weiter, wÀhrend FixVibe mitwacht.

FixVibe testet die öffentliche OberflĂ€che deiner App so unter Druck, wie ein Angreifer es tun wĂŒrde — ohne Agent, ohne Installation, ohne Karte. Wir recherchieren laufend neue Schwachstellenmuster und machen daraus praktische Checks und kopierfertige Fixes fĂŒr Cursor, Claude und Copilot.

Quellcode
116
Tests in dieser Kategorie
Module
76
dedizierte quellcode-PrĂŒfungen
pro Scan
487+
Tests ĂŒber alle Kategorien
  • Kostenlos — keine Karte, keine Installation, kein Slack-Ping
  • Einfach URL einfĂŒgen — wir crawlen, prĂŒfen und reporten
  • Findings nach Schweregrad sortiert, auf Signal dedupliziert
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Kostenlosen Scan starten →

// aktuelle Checks · praktische Fixes · mit Vertrauen shippen

Supabase RLS in Migrations — Vulnerability-Spotlight | FixVibe · FixVibe