Learn
Security

Is My Supabase App Secure?

Supabase provides strong security primitives — Row Level Security, API key separation, and built-in auth — but your app is only secure if you configure them correctly. The most common mistake is leaving RLS disabled on tables, which makes your data publicly accessible.

Why this matters

Supabase is the most common backend for AI-built apps (Lovable, Bolt, and Replit all integrate with it). Its security model is powerful but requires explicit configuration. Tables created outside the dashboard may not have RLS enabled by default.

What's at stake

A single table without RLS means anyone with your project URL and anon key can read, modify, or delete that data. This is a widespread misconfiguration that affects many AI-generated apps using Supabase as their backend.

Your checklist.

RLS is enabled on every table with user data

Critical

Tables created via the Supabase dashboard have RLS enabled by default, but tables created via migrations or external tools may not. Verify with: SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public';

RLS policies use auth.uid() not client-provided IDs

Critical

Always use auth.uid() in RLS policies to identify the current user. Never trust user IDs sent from the client — they can be spoofed.

Service role key is never exposed in client-side code

Critical

The service role key bypasses all RLS policies. It must only be used in Edge Functions or server-side code. Supabase automatically revokes service role keys detected in public GitHub repositories.

INSERT/UPDATE policies include WITH CHECK clause

Important

Without WITH CHECK, users may be able to insert rows they should not own. Always include WITH CHECK (user_id = auth.uid()) on write policies.

Email confirmation is enabled in Auth settings

Important

Without email confirmation, anyone can create accounts with fake emails. Enable it in Authentication > Settings to prevent spam signups.

RLS policies have been tested by impersonating different roles

Recommended

Use the Supabase SQL editor to test policies as anon, authenticated, and specific user roles. The Security Advisor can also scan for misconfigurations.

Verify your Supabase configuration is actually secure

  • Automated RLS verification across all your tables
  • API key exposure detection for your deployed app
  • Security badge proving your backend meets baseline standards
Get started with BWORLDS

Keep learning.

Related tools

lovableboltreplit

Related guides

spreadsheet to app

Related topics

what is row level securitysaas security checklistdid i expose my api key

Frequently asked questions.

Yes. The anon key is designed to be public and operates with the anon role in PostgreSQL. It respects your RLS policies, so it can only access data your policies allow. The service role key is the one you must never expose.

Run this SQL in the Supabase SQL editor: SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public'; Any table showing 'f' (false) for rowsecurity with user data is a critical security risk.

The top mistakes are: not enabling RLS at all, using overly permissive policies (USING true), missing WITH CHECK on INSERT/UPDATE policies, and trusting client-provided user IDs instead of auth.uid().

Yes. Supabase provides Security Advisors that scan for misconfigurations and offer AI-powered fix recommendations. They also automatically revoke service role keys detected in public GitHub repos and notify project owners.

Yes. Supabase offers GDPR-compliant data processing, SOC 2 compliance on the Team plan, HIPAA availability, and data residency options. Point-in-Time Recovery ensures minimal data loss. The Team plan starts at $599/month.