Back to Blog
Security Guides·6 min read

How to Secure a Supabase App Before Launch: Tools That Actually Test It (2026)

A practical guide to Supabase security tooling — from Supabase's built-in Security Advisor to supabomb and full AI pentesting — based on our research scanning 107 YC startups, 61% of which were exposing data.

Victor

Victor

How to Secure a Supabase App Before Launch: Tools That Actually Test It (2026)

You built your app on Supabase, you're about to onboard real customers, and you want to know it's secure first. This guide covers the tools that actually answer that question — in the order you should use them.

First, the context that makes this urgent. In January 2026 we scanned 107 Y Combinator startups built on Supabase: 61% had some level of data exposure, 28% were leaking personally identifiable information, and 4% were exposing authentication tokens or API keys — more than 20 million rows accessible to anyone with the browser dev tools open. These weren't exotic attacks. Nearly all of it traced to one root cause: missing or misconfigured Row Level Security.

What is the biggest security risk in a Supabase app?

Missing Row Level Security (RLS) policies. Your Supabase anon key ships in your JavaScript bundle by design — it is public. The only thing standing between any visitor and your database tables is RLS. A table created without an RLS policy is readable (often writable) by anyone who copies your anon key from the browser, no "hacking" required. Every tool below exists, directly or indirectly, to catch this class of failure before an attacker does.

The tools, in the order you should use them

1. Supabase Security Advisor — free, built in, run it today

Supabase's dashboard includes a Security Advisor that lints your project for tables without RLS, overly permissive policies, exposed functions, and similar misconfigurations. It's free and takes two minutes: Dashboard → Advisors → Security.

What it catches: the obvious structural problems — RLS disabled, security-definer views, exposed extensions.

What it misses: whether your RLS policies are actually correct. "RLS enabled" with a policy of USING (true) passes the lint and protects nothing. The advisor checks configuration, not behavior.

2. supabomb — free, open source, tests from the attacker's side

supabomb is our open-source CLI for pentesting Supabase instances. Point it at your app's URL and it does what an attacker would: extracts your Supabase URL and anon key from the JavaScript bundle, enumerates accessible tables, and reports exactly which data an anonymous visitor can read or write. It's the same approach we used in the YC research.

What it catches: real, demonstrated exposure — not "RLS is off" but "here are the 14,000 rows of user emails I just read as an anonymous client."

What it misses: it's focused on the Supabase data layer. Your app's own API routes, authentication flows, and business logic are out of scope.

npx supabomb scan https://your-app.com

3. A real pentest of the whole app — when customer data is on the line

RLS is the biggest Supabase-specific risk, but it's not the only way apps leak data. Broken access control in your own API routes, insecure direct object references, auth flows that confuse authentication with authorization — the OWASP Top 10 applies to your app no matter how well-configured Supabase itself is.

This is what ModernPentest does (disclosure: that's us). Our recon agents detect that your app runs on Supabase and automatically include the platform-specific checks — RLS exposure, anon-key data access, storage bucket permissions — alongside a full pentest of your application: every finding confirmed by actually exploiting it, with a fix walkthrough, in a report you can hand to a customer or auditor. Your first pentest is free, no credit card, results in under an hour.

What it catches: the full stack — Supabase misconfigurations plus the vulnerabilities in your own application code and APIs, with proof for each finding.

What it misses: it tests your deployed app from the outside. It won't review your source code line by line.

4. Code-side scanners (Aikido, Snyk, and friends) — complementary, not sufficient

Static analysis platforms scan your repository for vulnerable dependencies, leaked secrets, and insecure code patterns, and several (Aikido notably) have decent Supabase awareness on the configuration side. They're worth having — secrets committed to git are a real and common failure, and we found plaintext API keys in several of the YC startups' client bundles.

But understand what they are: they analyze your code, not your running app. A scanner can verify you didn't commit your service-role key; it cannot tell you whether an anonymous user can read your users table in production. You need testing from both sides; if you only get one, test the running app — that's where your customers' data actually lives.

A pre-launch Supabase security checklist

The 60-second version (the full checklist with SQL examples covers all ten):

  1. RLS enabled on every table — including the ones you "will get to later."
  2. Policies tested as an anonymous client, not just in the dashboard — USING (true) counts as enabled.
  3. Service-role key never in client code — it bypasses RLS entirely; server-side only.
  4. Storage buckets have policies too — RLS on tables doesn't cover Storage.
  5. Database functions use SECURITY INVOKER unless you have a specific reason — SECURITY DEFINER functions bypass RLS.
  6. Run the Security Advisor, then supabomb, then a pentest — config check, data-layer check, full-app check.

Frequently asked questions

Is the Supabase anon key secret?

No. The anon key is designed to be public — it ships in your frontend bundle and anyone can extract it in seconds. Security in Supabase comes entirely from Row Level Security policies, never from hiding the anon key. The service-role key, by contrast, bypasses RLS and must never reach the client.

Does enabling RLS make my app secure?

Enabling RLS is necessary but not sufficient. RLS with a permissive policy (USING (true)) protects nothing, and RLS on tables doesn't cover Storage buckets or SECURITY DEFINER functions. Test policies from an anonymous client's perspective — or use a tool that does — rather than trusting the "RLS enabled" badge.

How often should I re-test?

Every new table, policy change, or schema migration can reintroduce exposure — our YC data showed the exposure rate staying flat at 55–65% across startup batches, because new code keeps shipping new gaps. A one-time check protects you once; continuous or per-deploy testing matches how the risk actually arrives.

Want the full picture beyond the data layer? Run a free pentest — Supabase-specific checks included, report in under an hour.

#supabase#security#rls#security-tools#pentesting

Written by

Victor

Victor

Founder, ModernPentest

ModernPentest

Ready to secure your application?

Get continuous, automated penetration testing for your Supabase, Firebase, or Vercel app. Start your first scan in under 5 minutes.

Start Free TrialSchedule a Demo

Related Posts

Securing Firebase in Production: Complete Security Checklist
Security Guides·20 min read

Securing Firebase in Production: Complete Security Checklist

A comprehensive guide to securing your Firebase application. Learn how to lock down Firestore rules, RTDB permissions, Cloud Storage, Cloud Functions, App Check, Data Connect, and Genkit.

Read more
10 Common Supabase Security Misconfigurations (and How to Fix Them)
Security Guides·9 min read

10 Common Supabase Security Misconfigurations (and How to Fix Them)

Learn how to identify and fix the most dangerous Supabase security misconfigurations that could expose your user data. Includes code examples and remediation steps.

Read more