// docs / baas security / umbrella scanner
BaaS misconfiguration scanner: find public data paths before users do
Backend-as-a-Service providers โ Supabase, Firebase, Clerk, Auth0, Appwrite, Convex โ all fail security in the same shape: the platform ships sensible defaults, the developer (or the AI coding tool) reaches for a shortcut, and a public path opens between an unauthenticated attacker and customer data. A BaaS misconfiguration scanner is the only tool that probes that path from the outside the way an attacker would. This article maps the five recurring misconfiguration classes, explains how the FixVibe umbrella BaaS scan works, compares the four major providers, and contrasts the BaaS-aware scanner against general DAST tools.
Why BaaS misconfigurations have a recurring shape
Every BaaS platform follows the same architecture: a managed backend with a thin client SDK that talks to it from the browser. The browser-facing client needs some credential โ an anon key, a publishable key, a Firebase project ID โ to identify itself to the backend. That credential is intentionally public; the safety of the architecture rests on platform-level access controls (RLS, rules, allowlists) doing their job.
AI coding tools build on top of this architecture without internalising the platform-controls layer. They wire the client SDK correctly, accept the platform's default permissive rules (which exist for tutorial-friendliness), and ship. The recurring shape is: public credential + permissive default rule + missing override = data exposure. The five misconfiguration classes below are all variants of this shape.
The five recurring misconfiguration classes
These appear across every BaaS provider. A complete scan covers all five against every provider in use:
Class 1: Wrong key in the browser bundle
The browser ships the secret/admin key (Supabase service_role, Firebase Admin SDK private key, Clerk sk_*, Auth0 client secret) instead of the public/anon equivalent. The browser becomes an unconstrained admin client. Covered by FixVibe's bundle-secrets check.
Class 2: Access-control layer disabled or permissive
RLS is off, Firebase rules are if true, the Auth0 callback list is wildcarded. The credential in the browser is the correct one โ but the platform-level boundary that was meant to constrain it isn't doing its job.
Class 3: Anonymous reads of sensitive resources
Anon-readable Firestore collections, anon-listable Supabase storage buckets, anon-accessible Auth0 management API. The scan asks: "with no credentials, what can I read?"
Class 4: Test-mode artefacts in production
Test keys (pk_test_*, sb_test_*) in a production deploy; dev-mode Firebase apps reachable from the live domain; test-tenant Auth0 applications with weaker settings than production. The scan compares the runtime keys against the expected production prefixes.
Class 5: Webhook signature verification missing
Clerk webhooks, Stripe webhooks, Supabase webhooks all sign their payloads. A handler that doesn't verify the signature is a database-write primitive for any attacker who guesses the URL. Detected via response shape โ an unsigned request that gets a 200 means verification is skipped.
How the FixVibe umbrella BaaS scan works
FixVibe's BaaS phase runs in three stages, each producing distinct findings:
- <strong>Stage 1 โ provider fingerprinting.</strong> The scanner crawls the deployed app, parses every JavaScript chunk, and identifies which BaaS providers the app uses. Each provider has a distinctive runtime signature: Supabase uses <code>*.supabase.co</code>; Firebase uses <code>firebase.initializeApp({ projectId: ... })</code>; Clerk uses <code>pk_*</code> keys with a known prefix; Auth0 uses <code>clientId</code> and <code>domain</code>. The scanner records which providers are present and extracts the project identifiers.
- Stage 2 โ provider-specific probes. For each detected provider, the scanner runs the provider-specific check:
baas.supabase-rlsprobes PostgREST;baas.firebase-rulesprobes Firestore + RTDB + Storage;baas.clerk-auth0validates the prefix of bundled keys; the bundle-secrets check validates that no service-tier credentials leaked. Each probe runs independently โ a Supabase finding doesn't block the Firebase scan. - Stage 3 โ cross-provider correlation. The scanner cross-references findings. A leaked Supabase service-role key alongside missing RLS is more severe than either finding alone โ the report surfaces this. Multiple identity providers (Clerk + Auth0 + custom auth) in the same app is a structural finding flagged for review.
Every probe is passive: at most one anonymous read per resource, with response shape recorded but row contents never paginated or stored. Write and modify probes are gated behind verified domain ownership โ they never run against unverified targets.
What the scanner finds per provider
Each BaaS provider has a different surface and a different scan strategy. Here's what's covered:
- Supabase: missing RLS on tables, anon-listable storage buckets, leaked
service_roleJWT orsb_secret_*key in bundle, exposed schemas via anonymous OpenAPI listing. See Supabase RLS scanner and Storage checklist. - Firebase:
if truerules on Firestore, Realtime Database, and Cloud Storage; anon-listable Storage buckets; missing App Check enforcement. See Firebase rules scanner and If-true rule explainer. - Clerk: bundled
sk_*secret keys,pk_test_*in production, missing webhook signature verification, wildcard allowed origins. See Clerk checklist. - Auth0: bundled client secrets, Implicit grant enabled, wildcard callback / logout URLs, missing PKCE on SPAs. See Auth0 checklist.
How a BaaS scanner compares to general DAST and SAST tools
A BaaS-aware scanner does specific work that other tools don't. The comparison:
| Aspect | FixVibe (BaaS-aware DAST) | General DAST (Burp / ZAP) | SAST / SCA (Snyk / Semgrep) |
|---|---|---|---|
| BaaS coverage | Native checks for Supabase, Firebase, Clerk, Auth0, Appwrite | Generic web crawl; no provider-specific probes | Static analysis of repo only; no production validation |
| Setup time | URL โ run โ results in 60 seconds | Hours: configure spider, auth, scope | Day: integrate into repo CI |
| What it proves | Production-runtime exposure with HTTP-level evidence | Web-app vulns (XSS, SQLi); BaaS via manual config | Code patterns that may or may not deploy |
| JavaScript bundle inspection | Decodes JWTs, matches secret prefixes, walks chunks | Limited โ string-based grep only | Yes, but only repo-side, not deployed |
| Continuous scanning | Monthly / on-deploy via API + MCP | Manual; configure schedule yourself | Per-commit (good for code, blind to runtime) |
| Price for solo / small team | Free tier; paid from $19/mo | Burp Pro $499/yr; ZAP free but high false positives | Snyk free / Semgrep free; paid tiers from $25/dev |
Honest scope: what this scanner doesn't replace
A BaaS-aware DAST scanner is a focused tool, not a full security program. It does not:
- Replace SAST or SCA. Static analysis finds dependency CVEs (Snyk, Semgrep) and code-level vulnerabilities (SonarQube) that a DAST scanner cannot. Run both.
- Replace manual penetration testing. A human pentester finds business-logic flaws, authorization edge cases, and chained vulnerabilities that no scanner can. Hire a pentester before a major launch or compliance audit.
- Audit your code or repo for secrets in git history. The bundle-secrets check covers what is currently deployed, not what was historically committed. Use
git-secretsorgitleaksfor repo hygiene. - Cover non-BaaS backend services. If your app uses a custom backend (Express, Rails, Django, FastAPI), FixVibe scans its HTTP surface but does not probe the database or infrastructure behind it. That's general DAST + SAST territory.
Frequently asked questions
Does the umbrella scan work if my app uses two BaaS providers (e.g., Supabase + Clerk)?
Yes โ provider fingerprinting and per-provider probes are independent. The scanner detects both, runs both check suites, and reports cross-provider correlations (e.g., a Supabase JWT template from Clerk that ships email as a claim alongside missing RLS).
How is this different from running Burp Suite Pro against my app?
Burp is a general DAST workbench. Out of the box, Burp does not know what PostgREST, Firestore, or the Auth0 callback path is โ you have to manually configure scope, write extensions, and interpret responses. FixVibe ships with built-in BaaS probes and BaaS-shaped evidence formatting. Burp wins on general web-app coverage (XSS, SQLi, business logic); FixVibe wins on BaaS-specific findings.
What about App Check (Firebase) or attestation (Apple / Google)?
App Check makes opportunistic external scans return 403 on every probe โ the correct outcome for a malicious bot. A FixVibe scan from an unattested client behaves the same way. If you have App Check enabled and FixVibe still reports findings, it means your rules are open to attested clients too, which is the real risk. App Check + correct rules is the defense-in-depth pattern.
Can the scanner verify my fix?
Yes โ re-run after applying the fix. The check IDs (e.g., baas.supabase-rls) are stable across runs, so you can diff findings: a finding that was open in run 1 and absent in run 2 is proof the fix landed.
Next steps
Run a free FixVibe scan against your production URL โ the BaaS-phase checks ship on every plan, including the free tier. For provider-specific deep-dives, the individual articles in this section cover each provider in detail: Supabase RLS, Supabase service-key exposure, Supabase storage, Firebase rules, Firebase if-true, Clerk, and Auth0.