FixVibe

// baas / 聚焦

Supabase Row-Level Security

Without RLS on every public table, your anon key is a license to read anything.

概要

Supabase is wonderful and dangerous in the same gesture. The anon API key in your client bundle is public — that's the design. The compensating control is Row-Level Security, a Postgres feature that enforces per-row visibility based on the requesting user's claims. Skip RLS on a table, and the anon key plus a curl command reads every row. We see this in roughly one in three Supabase apps we scan.

運作方式

Supabase exposes Postgres tables as REST endpoints via PostgREST. A request like `GET /rest/v1/users?select=*` from the anon role returns whatever rows the role's RLS policies allow. With RLS enabled and no policy granting SELECT, the table is empty to the anon role — safe. With RLS not enabled, the role's table-level GRANT decides — and Supabase's default GRANTs are permissive on the public schema. The result: an unenabled-RLS table is fully readable to any visitor.

影響范圍

Customer data leak: emails, profile info, orders, messages, anything in the unprotected table. If you're storing PII and don't have RLS, you have a GDPR breach the moment the table is enumerated. We've seen leaked Stripe customer IDs, password reset tokens, internal admin notes — all reachable with a single curl.

// fixvibe 檢查的內容

FixVibe 檢查的內容

FixVibe checks backend-as-a-service exposure through safe configuration and access-boundary signals. Reports focus on what is exposed and how to lock it down. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

铁壁防御

Enable Row-Level Security on every table in the public schema. Add explicit policies for the operations each role should be able to perform (SELECT, INSERT, UPDATE, DELETE) and what subset of rows they can touch. The Supabase dashboard surfaces RLS state per table — make 'all RLS enabled, no warnings' a deployment gate. Move sensitive data into a non-public schema where possible — `auth.users` is already there; consider doing the same for high-value tables. Audit your service-role key usage: anywhere the service role appears in a code path the user can influence is a vulnerability waiting to happen. Finally, rotate the anon key when staff turnover happens — yes, it's public, but the *project* binding makes the key uniquely identifying.

要点

Supabase's security model is solid; its failures are operational. RLS on every table is the floor, not the ceiling.

// 在你自己的應用上跑一遍

放心继續發布,FixVibe 持續幫你看守風险。

FixVibe 像攻击者一樣對你的應用公開面进行压力测試 —— 无代理、无安裝、无信用卡。我們持續研究新的漏洞模式,并把它們转化成实用检查和可直接用于 Cursor、Claude、Copilot 的修複方案。

Backend-as-a-Service
17
本類别中触發的测試
模塊
4
專属 backend-as-a-service 检查
每次扫描
487+
跨所有類别的测試
  • 免费 —— 无需信用卡,无需安裝,无需 Slack 通知
  • 只需粘贴 URL —— 我們爬取、探测、生成報告
  • 按严重程度分级,去重至只剩信號
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
運行免费扫描

// 最新检查 · 实用修複 · 安心發布

Supabase Row-Level Security — 漏洞聚焦 | FixVibe · FixVibe