Supabase Security Checklist
Supabase security checklist for AI-built apps
Supabase is the most popular backend for vibe-coded apps โ and missing database rules are the #1 cause of vibe-coding data breaches. Use this checklist to make sure your Supabase project doesn't leak user data before you launch.
1. Row-Level Security (RLS)
- RLS is enabled on every table that holds user data
- Each table has a policy scoping rows to
auth.uid()โ users see only their own data - No table is left "open" with RLS off (the default leaves data readable with the anon key)
2. Keys
- Only the anon / publishable key is used in frontend code
- The service_role key is never shipped to the browser โ server-side only
- No keys hardcoded outside environment variables
3. Storage buckets
- Buckets aren't public unless they're meant to be
- Storage policies restrict who can upload, read, and delete
4. Auth & access
- Email confirmation / sign-in configured correctly
- Sensitive actions check the user's identity on the server, not just the client
Scan your Supabase app code free โ
VibeSafe flags missing RLS, exposed keys & weak rules โ 3 free scans/month
VibeSafe reads your app's code for the patterns that signal these problems โ the service_role key in frontend code, queries that rely on client-side filtering instead of RLS, and hardcoded Supabase URLs and keys โ and explains each fix in plain English.
An honest note. A code scan catches common Supabase misconfigurations, but always confirm RLS and policies directly in your Supabase dashboard too. VibeSafe is a first safety check, not a full audit.
Related guides: