Learn
Security

How to Know If My Database Is Exposed

Your database is exposed if it can be read or written to without proper authentication. For Supabase users: if Row Level Security (RLS) is disabled on a table, anyone with your project URL and anon key can access that data. Check by running a simple SQL query in the Supabase dashboard.

Why this matters

Database exposure is the most common critical security issue in apps built with AI tools. Security researchers have found hundreds of AI-built apps with publicly accessible databases — all because RLS was not enabled on their Supabase tables.

What's at stake

An exposed database means anyone can read, modify, or delete your users' data. This can happen silently — you may not know until someone reports it or you notice missing data.

Step by step.

1

Check Row Level Security status (Supabase)

Open the Supabase SQL Editor and run: SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public'; — any table showing 'f' (false) with user data is exposed.

2

Test access without authentication

Try accessing your database API endpoint without being logged in. For Supabase, use curl or your browser to query a table using only the anon key. If you can read data that should be private, your database is exposed.

3

Verify connection restrictions

Check that your database is not directly accessible from the internet on its raw port. For Supabase, direct database connections should use SSL and IP allowlisting where possible.

4

Enable RLS and add policies

For each exposed table, run: ALTER TABLE your_table ENABLE ROW LEVEL SECURITY; Then add policies that restrict access to authenticated users and their own data using auth.uid().

5

Test after fixing

After enabling RLS, repeat step 2. Verify that unauthenticated requests return empty results and that authenticated users can only see their own data.

Detect database exposure before it becomes a breach

  • Automated RLS verification across all your Supabase tables
  • Real-time alerts if a table is created without proper security
  • Clear remediation steps for any detected exposure
Get started with BWORLDS

Keep learning.

Related topics

is my supabase app securedatabase security for beginnershow to protect my app databasedid i expose my api key

Frequently asked questions.

Tables created through the Supabase dashboard have RLS enabled by default, but tables created through migrations or AI-generated code may not. Always verify RLS status after creating new tables.

Your Supabase project URL and anon key are visible in your frontend code — this is by design. The protection comes from RLS policies, not from hiding the URL. Without RLS, knowing the URL is enough to access your data.

Everything in tables without RLS. This could include user emails, passwords (if stored improperly), personal information, payment data, and any content users have created in your app.

Immediately. Automated bots continuously scan for exposed databases. Once your data is accessed, you cannot undo the exposure. Enable RLS as the first priority, then review what data may have been accessed.