FixVibe

// baas / spotlight

Supabase Storage and API Posture

Public buckets and anon-listable objects are where BaaS data leaks start.

Olta

Supabase is safe when public keys stay public, service-role keys stay server-only, and RLS policies actually fence data. The risky middle is Storage: a bucket can be public on purpose for static assets, or accidentally public for invoices, avatars, profile documents, backups, and exports.

Nasıl çalışır

The scanner extracts Supabase project URLs and anon keys from same-origin JavaScript, then uses the anon client boundary to inspect Storage bucket metadata and object-listing behavior. A public marketing-assets bucket is usually low risk. A bucket with user-data naming, or one that lets anonymous clients list object names, is a stronger signal that authorization belongs in Storage RLS and signed URLs instead of public bucket access.

Etki yarıçapı

Anonymous object listing can expose filenames, tenant hints, upload paths, and sometimes the direct object URLs customers assume are private. Even when file contents need a separate request, listing turns a private data lake into an index attackers can scrape.

// fixvibe neyi kontrol eder

FixVibe neyi kontrol eder

FixVibe checks backend-as-a-service exposure through safe configuration and access-boundary signals. Reports focus on what is exposed and how to lock it down. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Sağlam savunmalar

Keep public buckets limited to static assets. Put user uploads, invoices, profile files, backups, exports, and attachments in private buckets. Gate downloads through authenticated server routes or Storage RLS, issue short-lived signed URLs, and verify anon clients cannot list object metadata unless that listing is intentionally public.

// run it on your own app

Sen yayınlamaya devam et, FixVibe gözcülüğü üstlensin.

FixVibe, uygulamanın herkese açık yüzeyini bir saldırganın yapacağı şekilde basınç altına sokar — ajan yok, kurulum yok, kart yok. Yeni zafiyet örüntülerini araştırmaya devam edip onları pratik check’lere ve Cursor, Claude ve Copilot için kopyalayıp yapıştırılabilir düzeltmelere dönüştürüyoruz.

Backend-as-a-Service
17
bu kategoride çalıştırılan testler
modules
4
backend-as-a-service için özel check’ler
her tarama
487+
tüm kategorilerde testler
  • Ücretsiz — kredi kartı yok, kurulum yok, Slack mesajı yok
  • Sadece bir URL yapıştır — biz tarar, sondalar ve raporlarız
  • Önem dereceli, yalnızca sinyale ayıklanmış bulgular
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Ücretsiz tarama başlat

// latest checks · practical fixes · ship with confidence

Supabase Storage and API Posture — Zafiyet Spotlight | FixVibe · FixVibe