Supabase

// SUPABASE SECURITY CHECKER

Is your Supabase database actually locked down?

Supabase gives your app a real Postgres database in seconds — and leaves it to you to decide who can read and write it. That decision is row-level security, and it is the single most common place vibe-coded apps get breached. A table with RLS off, or a policy that reads USING(true), means anyone on the internet can read every row. Veilguard checks your live Supabase-backed app, grades it A to F, and hands you the exact policy to paste.

Free — no signup · Your code stays yours · Results in ~60s

// WHAT WE CHECK

What Veilguard checks in your Supabase project

Critical

RLS disabled on a table

Any table with row-level security turned off is fully readable and writable by anyone with your public anon key. We find every one.

Critical

Policies that read USING(true)

A policy that always evaluates true is the same as no policy at all — it just looks protected. This is the exact pattern behind real Supabase breaches.

Critical

auth.uid() IS NOT NULL bypass

Policies that only check a user is logged in — not that the row belongs to them — let any signed-in user read everyone’s data.

Critical

Exposed service-role key

The service key bypasses RLS entirely. If it reaches the browser, your database has no protection at all.

Warning

Public storage buckets

Storage buckets set public, exposing uploaded files, invoices and user photos to the whole internet.

Warning

Missing policies on new tables

Tables created without any policy, so access falls back to insecure defaults nobody reviewed.

// THE GAP

Why Supabase projects end up exposed

Supabase is secure by design — but only if you write the right policies, and AI builders like Lovable and Bolt frequently don’t. The database ships permissive so you can move fast, and the danger is invisible: the app works perfectly whether or not RLS is correct. The Moltbook breach leaked 1.5 million API keys from exactly this mistake. Veilguard tells you which tables are open and gives you the SQL to close them.

// HOW IT WORKS

Scan. Understand. Fix.

01

Scan

Paste your app’s link. No install, no signup — just the URL you already share with customers.

02

Understand

A clear A–F grade and every issue in plain English: what it is, why it matters, and how bad it really is.

03

Fix

The exact fix for each issue — copy-paste code or a ready-made prompt for your AI. Then we keep watching.

// FAQ

Supabase security, answered.

How does Veilguard check my Supabase RLS?

From your live app we probe what the public anon key can actually reach. Connect Supabase read-only for a full policy-by-policy audit that lists every open table and the exact SQL to lock it down.

What is the most common Supabase mistake?

Row-level security that is off or effectively open — a table with RLS disabled, or a policy that reads USING(true) or only checks auth.uid() IS NOT NULL. All three let the wrong people read your data.

Will you give me the fix, not just the problem?

Yes. Every finding comes with the exact RLS policy to paste into the Supabase SQL editor, or a prompt you can hand to your AI tool to apply it.

Grade your Supabase app in 60 seconds.

Free — no signup · Your code stays yours · Results in ~60s