Supabase Security Checker
Supabase is the most popular backend for vibe-coded apps, and its anon key is designed to be public. But that only works if your RLS policies are correct. In practice, most AI-generated Supabase apps ship with USING(true) policies intended for service role access that also grant full read access to anonymous users.
We found this pattern across 16 of our own production apps in a fleet-wide audit. UPDATE policies without WITH CHECK clauses let any authenticated user escalate their own role to admin. Storage buckets default to public in many AI-generated configs, exposing uploaded files to the internet.
VibeArmor uses your public anon key to attempt real cross-user data access, exactly like an attacker would. If we can read data we should not see, you have a real problem.
What VibeArmor detects in Supabase apps
- RLS policies using USING(true) that expose all rows to the anon role
- Exposed service_role key in client-side JavaScript bundles
- Storage buckets with public read/write permissions
- Missing WITH CHECK clauses that allow privilege escalation via UPDATE
- Schema information leaking through PostgREST error messages
No signup • Results in 3 minutes
How VibeArmor helps
Critical exploits
Exposed secrets, auth bypass, injection, and cross-user data access. These get apps hacked.
Active defenses
HTTPS, CSP, rate limiting, and cookie security. Real protections that stop real attacks.
Best practices
Informational items that do not affect your grade. Good to know, not urgent to fix.