Supabase Security Checker

Supabase is the most popular backend for vibe-coded apps, and its anon key is designed to be public. But that only works if your RLS policies are correct. In practice, most AI-generated Supabase apps ship with USING(true) policies intended for service role access that also grant full read access to anonymous users.

We found this pattern across 16 of our own production apps in a fleet-wide audit. UPDATE policies without WITH CHECK clauses let any authenticated user escalate their own role to admin. Storage buckets default to public in many AI-generated configs, exposing uploaded files to the internet.

VibeArmor uses your public anon key to attempt real cross-user data access, exactly like an attacker would. If we can read data we should not see, you have a real problem.

What VibeArmor detects in Supabase apps

RLS policies using USING(true) that expose all rows to the anon role
Exposed service_role key in client-side JavaScript bundles
Storage buckets with public read/write permissions
Missing WITH CHECK clauses that allow privilege escalation via UPDATE
Schema information leaking through PostgREST error messages

Test Your Supabase RLS Free

No signup • Results in 3 minutes

How VibeArmor helps

TIER 1

Critical exploits

Exposed secrets, auth bypass, injection, and cross-user data access. These get apps hacked.

TIER 2

Active defenses

HTTPS, CSP, rate limiting, and cookie security. Real protections that stop real attacks.

TIER 3

Best practices

Informational items that do not affect your grade. Good to know, not urgent to fix.