Is Supabase Safe?
Supabase is safe · it's used by tens of thousands of production apps. The vulnerabilities we see are almost never in Supabase itself; they're in how apps configure RLS, expose the service-role key, and skip leaked-password protection.
Known risks
- RLS disabled or misconfigured · A public table without RLS is world-readable via the anon key. `USING (true)` policies are effectively the same thing.
- Service-role key in client code · The `service_role` key bypasses all RLS. If it ends up in a frontend bundle, the entire database is exposed.
- Leaked-password protection off · By default the check against HaveIBeenPwned isn't enabled. Users can pick known-breached passwords.
How to make it safer
- Enable RLS on every public table · `ALTER TABLE public.<name> ENABLE ROW LEVEL SECURITY` plus scoped policies. No policies = locked, which is the correct default.
- Keep service-role server-side · Only use it in edge functions or backend services. Never import it in React code.
- Turn on leaked-password protection · One toggle in Auth > Providers > Email. Blocks the most trivial credential-stuffing.
Frequently asked
Is Supabase actually safe?
The platform is safe. Individual project configurations are where risk lives. Scan yours to be sure.
What's the #1 Supabase security mistake?
Missing RLS policies. Every public.* table needs RLS on plus scoped policies.
How do I know if my Supabase app is secure?
Run SimplyScan · we check RLS coverage, service-role exposure, auth settings, and 48 other things.
Scan your Supabase app →