FixVibe

// baas / spotlight

Row-Level Security Supabase

Sans RLS sur chaque table publique, ta clé anon est un permis pour tout lire.

L'accroche

Supabase is wonderful and dangerous in the same gesture. The anon API key in your client bundle is public — that's the design. The compensating control is Row-Level Security, a Postgres feature that enforces per-row visibility based on the requesting user's claims. Skip RLS on a table, and the anon key plus a curl command reads every row. We see this in roughly one in three Supabase apps we scan.

Comment ça marche

Supabase exposes Postgres tables as REST endpoints via PostgREST. A request like `GET /rest/v1/users?select=*` from the anon role returns whatever rows the role's RLS policies allow. With RLS enabled and no policy granting SELECT, the table is empty to the anon role — safe. With RLS not enabled, the role's table-level GRANT decides — and Supabase's default GRANTs are permissive on the public schema. The result: an unenabled-RLS table is fully readable to any visitor.

Le rayon d'impact

Customer data leak: emails, profile info, orders, messages, anything in the unprotected table. If you're storing PII and don't have RLS, you have a GDPR breach the moment the table is enumerated. We've seen leaked Stripe customer IDs, password reset tokens, internal admin notes — all reachable with a single curl.

// what fixvibe checks

What FixVibe checks

FixVibe checks backend-as-a-service exposure through safe configuration and access-boundary signals. Reports focus on what is exposed and how to lock it down. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Défenses blindées

Enable Row-Level Security on every table in the public schema. Add explicit policies for the operations each role should be able to perform (SELECT, INSERT, UPDATE, DELETE) and what subset of rows they can touch. The Supabase dashboard surfaces RLS state per table — make 'all RLS enabled, no warnings' a deployment gate. Move sensitive data into a non-public schema where possible — `auth.users` is already there; consider doing the same for high-value tables. Audit your service-role key usage: anywhere the service role appears in a code path the user can influence is a vulnerability waiting to happen. Finally, rotate the anon key when staff turnover happens — yes, it's public, but the *project* binding makes the key uniquely identifying.

À retenir

Supabase's security model is solid; its failures are operational. RLS on every table is the floor, not the ceiling.

// lance-le sur ta propre app

Continue de shipper pendant que FixVibe veille.

FixVibe sonde la surface publique de ton app comme le ferait un attaquant — sans agent, sans install, sans carte. Nous continuons à rechercher de nouveaux schémas de vulnérabilités et à les transformer en checks pratiques et correctifs prêts pour Cursor, Claude et Copilot.

Backend-as-a-Service
17
tests dans cette catégorie
modules
4
vérifications backend-as-a-service dédiées
chaque scan
384+
tests sur toutes les catégories
  • Gratuit — sans carte, sans install, sans ping Slack
  • Colle juste une URL — on crawle, on sonde, on rapporte
  • Findings classés par sévérité, dédupliqués au signal
  • Prompts de correction à jour, prêts pour Cursor, Claude, Copilot
Lancer un scan gratuit

// checks récents · correctifs pratiques · shippe sereinement

Row-Level Security Supabase — Vulnerability Spotlight | FixVibe · FixVibe