FixVibe

// docs / baas security / supabase storage

Supabase storage bucket security checklist: 22 na item

Na Supabase Storage e dua na manima ena dua na S3-compatible bucket kei na Row-Level Security model vata kei na database. E kena ibalebale e yaco talega na RLS pitfalls vata era yaco ena tables ki na file access โ€” kei na vica na storage-specific era basika ni wire na AI coding tools na uploads. Na checklist oqo e 22 na item ena lima na tikina: bucket configuration, RLS policies, upload validation, signed URLs, kei na operational hygiene. Na yadua e rawa ni verify ena loma ni 15 na minisi.

Na item yadua ena ra e bibi. Me dua na rai ki na RLS mechanics, vakaraica Supabase RLS scanner. Me baleta na key-exposure class e tarava ki na storage, vakaraica Supabase service role key sa lai vakaraitaki ena JavaScript.

Bucket configuration

Tekivu kei na defaults dodonu. Na bucket sa misconfigured e leak na file ke se correct na nomu RLS se sega.

  1. Default na bucket kece me private. Ena Supabase Dashboard โ†’ Storage โ†’ Buckets, biuta na Public bucket toggle me off ke sega ni dua na vuna mo dau dolava (marketing assets, public avatars kei na sega ni PII). Na public buckets e bypass na RLS me read โ€” o ira kece era kila na bucket name era rawa ni list ka download.
  2. Biuta e dua na hard file size limit ena bucket yadua. Dashboard โ†’ Bucket settings โ†’ File size limit. 50 MB e dua na default vinaka me user uploads; vakacicika me video / large-file use cases. Kevaka sega ni dua na limit, e dua ga na malicious upload e rawa ni vakaocea na nomu storage quota se na bandwidth ni vula.
  3. Vakatabuya na MIME types era vakadonui ena bucket yadua. Allowed MIME types list โ€” explicit allowlist, sega ga ni blocklist. image/jpeg, image/png, image/webp ena image-only buckets. Kakua sara ni vakadonuya na text/html, application/javascript, se image/svg+xml ena dua na user-content bucket โ€” era execute ena browser ni veiqaravi kina signed URL.
  4. Vakayagataka e dua ga na bucket ena content type yadua, kakua na dua ga na bucket vata. Na per-bucket settings (size, MIME types, RLS policies) e granularity tu vei iko. E rawarawa cake mo locked down e dua na user-avatars bucket, e dua na document-uploads bucket, kei na public-assets bucket, mai ena dua ga na mixed bucket.
  5. Vakadinadinataka na CORS configuration ke upload na frontend. Ke upload na lewenivanua sara mai na browser ki na signed URL, na bucket CORS me list na nomu production origin. * e vakadonui ena public buckets ga โ€” kakua sara ena buckets kei na user PII.

RLS policies ena storage.objects

Na Supabase Storage e maroroya na file metadata ena teveli storage.objects. Na RLS ena teveli oqo e lewa na o ira era rawa ni wilika, upload, update, se viavutaka na file. Kevaka sega na RLS, na public/private flag ni bucket sa nomu duabau ga na vakacegu.

  1. Vakadinadinataka me enable na RLS ena storage.objects. Na SELECT rowsecurity FROM pg_tables WHERE schemaname = 'storage' AND tablename = 'objects'; me tukuna mai true. Na Supabase e enable ena projects vou; vakadinadinataka ke a sega ni disable.
  2. Vola e dua na SELECT policy e scope ki na auth.uid() me private buckets. CREATE POLICY "users_read_own_files" ON storage.objects FOR SELECT USING (auth.uid()::text = (storage.foldername(name))[1]);. Na ivakarau me biuta na file ena ruku ni [user-id]/[filename] ka vakayagataka na storage.foldername() me extract na taukei mai na path.
  3. Vola e dua na INSERT policy e vakavotuya na path convention vata. CREATE POLICY "users_upload_own" ON storage.objects FOR INSERT WITH CHECK (auth.uid()::text = (storage.foldername(name))[1]);. Ke sega ni dua na WITH CHECK, e rawa ni upload e dua na authenticated user ki na ka tale folder.
  4. Vakaitavi UPDATE kei DELETE policies ke o nomu app e supportaka na file edits se deletes. Na command yadua me dua na policy. Ke biu na DELETE, na authenticated user e sega ni rawa ni viavutaka na nodra file; ke biu na UPDATE, na file overwrite ena dredre lo.
  5. Test na cross-user access ena rua na browser session. Sign in vaka User A, upload e dua na file, copy na path. Sign in vaka User B ena dua tale na browser, tovolea me fetch na file mai na REST API. Na response me dau 403 se 404, kakua sara ni 200.
sql
-- Confirm RLS on storage.objects
SELECT rowsecurity
FROM   pg_tables
WHERE  schemaname = 'storage' AND tablename = 'objects';

-- SELECT policy: scope reads to the owning user's folder.
CREATE POLICY "users_read_own_files"
  ON storage.objects
  FOR SELECT
  USING (auth.uid()::text = (storage.foldername(name))[1]);

-- INSERT policy: enforce the [user-id]/[filename] path convention.
CREATE POLICY "users_upload_own"
  ON storage.objects
  FOR INSERT
  WITH CHECK (auth.uid()::text = (storage.foldername(name))[1]);

Upload validation

Vakadinadinataka na upload yadua ena server-side, ke mada ga sa tu vua na bucket na MIME kei na size constraints. Na AI coding tools era cakava na client-only validation ena default; e taqomaka na ka.

  1. Re-check na MIME type ena server-side mai na actual bytes ni file, kakua ni Content-Type header. Vakayagataka na library file-type (Node) se na magic-byte sniffing. E rawa ni vakaraitaka e dua na attacker na Content-Type: image/jpeg ena dua na file e dua ga na polyglot HTML / JavaScript payload.
  2. Strip na EXIF metadata mai na image uploaded. Na EXIF e rawa ni vakacurumi na GPS coordinates, device serial numbers, kei na timestamps. Vakayagataka na sharp kei na .withMetadata(false) se exif-parser me strip ni bera ni storage.
  3. Vakawalena na SVG e tu kina script tags se onload handlers. Na SVG e XML โ€” kei na levu ni AI-generated apps era vakadonuya na SVG upload me "image ga." Vakayagataka na DOMPurify ena server-side se kakua sara ni vakadonuya na SVG upload.
  4. Vakayagataka na deterministic, unguessable filenames. Kakua ni maroroya na original filename. Vakayagataka e dua na UUID se hash ni file contents. Na original filenames era leak ("passport_scan_2024_01_15.jpg") ka rawa ni rai i liu me enumeration.

Signed URLs

Na signed URLs e sala ni nodra client access na private buckets. Na expiry, na bucket scope, kei na ka e log e bibi.

  1. Default signed-URL expiry me 1 na aua se vakalailai cake. Na createSignedUrl(path, expiresIn) ena Supabase JS SDK e taura na seconds. Kakua sara ni vakayagataka na value 31536000 (1 na yabaki) โ€” na URL e yaco me dua na permanent semi-public link.
  2. Kakua ni biuta na signed URLs ena nomu database. Generate na vou ena server-side ena request yadua. E dua na signed URL maroroi kei na 1-year expiry sa leak ena dua na database dump e soli long-term access.
  3. Log na signed-URL generation, sega ga na file uploads. Ke o vakasama tiko ki na dua na compromise, mo kila se cei e generate na URL kei na gauna. Log na auth.uid() + bucket + object path + timestamp.
  4. Vakayagataka na downloadAs option ni serve na user-uploaded files. Na createSignedUrl(path, expiresIn, { download: '.jpg' }) e cakava na Content-Disposition: attachment header me download na file, kakua na render โ€” defeat na HTML / SVG / HTML-in-PDF execution class.

Operational hygiene

Na Storage configuration e drift ena gauna. Na va na item operational oqo e maroroya na surface me lailai.

  1. Audit na buckets vakatautoluvula. Dashboard โ†’ Storage โ†’ Buckets. Vakadinadinataka na public/private state kei na MIME-type lists me vata kei na ka e vakanamati na app. Na buckets era buli "vakatabakidua" era dau yaco me tudei ke sega e dua e cavuta.
  2. Vakaraica na anonymous list operations. Na storage logs (Dashboard โ†’ Logs โ†’ Storage) era record na LIST requests. E dua na spike ni anonymous list requests ki na dua na private bucket e kena ibalebale e probe tu e dua mai tuba.
  3. Biuta e dua na retention policy me ephemeral uploads. Na temp buckets (image preview, draft uploads) me auto-delete ni 24-72 na aua mai na scheduled function. Na indefinite retention e dua na liability ena GDPR / CCPA data-minimisation obligations.
  4. Cakava e dua na FixVibe scan ena vula yadua. Na baas.supabase-storage-public check e probe na buckets era responde ki na anonymous GET + LIST. Era yaco mai na buckets vou; era veisau na buckets makawa na visibility โ€” na continuous scanning ga e raica na drift.

Tikitiki tarava

Cakava e dua na FixVibe scan ki na nomu production URL โ€” na anonymous storage listings era yaco ena ruku ni baas.supabase-storage-public. Vakatauvatana na checklist oqo kei na Supabase RLS scanner me table layer kei na Supabase service role key sa lai vakaraitaki ena JavaScript me key-exposure adjacency. Me storage misconfigurations ena tale na BaaS providers, vakaraica BaaS misconfiguration scanner.

// scan na nomu baas surface

Kune na teveli sa dola ni bera ni kunea e dua tale.

Vakacurumi mai e dua na production URL. Sa wilika na FixVibe na BaaS provider e veivosaki kaya na nomu app, sa fingerprint na nodra public endpoints, ka tukuna na ka e rawa ni wilika se vola e dua na unauthenticated client. E sega ni saumi, sega ni install, sega ni card.

  • Free tier โ€” 3 scan / vula, sega ni gadrevi na card ena signup.
  • Passive BaaS fingerprinting โ€” sega ni gadrevi me veivakadinadinataki na domain.
  • Supabase, Firebase, Clerk, Auth0, Appwrite, kei na vo tale.
  • AI fix prompts ena finding kece โ€” vakauta lesu i Cursor / Claude Code.
Cakava e dua na BaaS scan ena saumi โ†’

sega ni gadrevi na signup

Supabase storage bucket security checklist: 22 na item โ€” Docs ยท FixVibe