Supabase Security Testing

Secure Your Supabase App today

Our AI agents are specifically trained on Supabase security patterns. Full pentest + auditor-ready compliance report in under an hour.

AI agents trained on Supabase-specific vulnerabilities
Row-Level Security (RLS) policy testing
PostgREST API authorization checks
Storage bucket permission analysis

No credit card required • First pentest free • SOC 2 reports included

1h
Full Pentest Time
Complete security scan + SOC 2 report
23%
Apps With RLS Issues
Of Supabase apps have exploitable policies
<5%
False Positive Rate
Only real vulnerabilities reported
Security Checks

Common Supabase Vulnerabilities We Detect

AI Agents Built for Supabase

Our agents are trained on Supabase architecture and equipped with specialized tooling for RLS, PostgREST, and storage security testing. They understand the nuances of Supabase security that most pentesters miss.

RLS Policy Bypass

high

Missing or weak row-level security policies allow unauthorized access to data. Attackers can read or modify records belonging to other users.

-- Vulnerable: No RLS policy CREATE TABLE posts (id uuid, user_id uuid, content text); -- Any user can read all posts!
-- Fixed: Enable RLS with proper policy ALTER TABLE posts ENABLE ROW LEVEL SECURITY; CREATE POLICY "Users can only see own posts" ON posts FOR SELECT USING (auth.uid() = user_id);

Edge Function Auth Missing

high

Edge functions without authentication checks allow unauthenticated access to sensitive operations. Attackers can invoke functions directly without valid user credentials.

// Vulnerable: No auth check in edge function Deno.serve(async (req) => { const { userId } = await req.json() // Trusting client-provided userId! return processUserData(userId) })
// Fixed: Verify JWT token const authHeader = req.headers.get("Authorization") const { data: { user } } = await supabase.auth .getUser(authHeader?.replace("Bearer ", "")) if (!user) return new Response("Unauthorized", { status: 401 })

PostgREST Injection

medium

Unvalidated filter parameters in API queries can lead to data exposure or injection attacks through the PostgREST API layer.

// Vulnerable: Direct user input in filter const { data } = await supabase .from("users") .select("*") .filter(userInput, "eq", value) // Dangerous!
// Fixed: Validate and sanitize inputs const allowedFilters = ["name", "email"] if (!allowedFilters.includes(filterColumn)) { throw new Error("Invalid filter") }

Storage Bucket ACLs

high

Public storage buckets or missing bucket policies can expose sensitive files. Private documents, user uploads, and internal files may be accessible to anyone.

-- Vulnerable: Public bucket with no policies INSERT INTO storage.buckets (id, name, public) VALUES ('documents', 'documents', true); -- Anyone can list and download all files!
-- Fixed: Private bucket with RLS policies INSERT INTO storage.buckets (id, name, public) VALUES ('documents', 'documents', false); CREATE POLICY "Users can access own files" ON storage.objects FOR SELECT USING (auth.uid()::text = (storage.foldername(name))[1]);

Full Security Checks Included

Row-Level Security (RLS) policy testing
Edge function authentication
PostgREST API authorization
Storage bucket permission analysis
Database function security
Service role key leak detection
Auth flow vulnerability testing
Session management checks
CORS configuration analysis
<5% false positive rate — only real vulnerabilities
Open Source Tool

Supabomb

Our open source Supabase security CLI built with Python. Powerful, simple, and the same tool our AI agents use to scan your projects.

  • Auto-discovery of Supabase instances from URLs
  • RLS policy enumeration and testing
  • Edge function JWT verification
  • Storage bucket permission auditing
terminal
$Quick start
uv run supabomb discover --url https://your-project.supabase.co

[supabomb] Starting security scan...

[supabomb] Checking authentication...

[supabomb] Analyzing security policies...

[supabomb] Found 3 potential issues

[supabomb] Scan complete! Report saved.

Open Source
MIT LicenseFree to use

Also Explore

Comprehensive security testing for your entire modern stack

Get SOC 2-Ready

Ready to Secure Your Supabase App?

Start your first pentest today. See vulnerabilities in minutes, not weeks. No credit card required.

First pentest free • SOC 2 reports included • Cancel anytime