Is my Supabase public?

Short answer

Your Supabase is public by default on any table without Row-Level Security enabled. Anyone with your anon key (which ships in your app's JavaScript) can read those tables. Run the free scanner at Securie /signup to find out in 30 seconds.

Here's the honest answer: new Supabase tables default to RLS-off. If you didn't explicitly enable RLS + write policies on every table, anyone can read them.

Why it happens: - Lovable / Bolt / Cursor generate migrations but don't always enable RLS - Tutorials skip RLS for simplicity - The `anon` key is designed to be public — it ships to every user of your app

How to check in 30 seconds: 1. Open /signup 2. Paste your Supabase project URL + anon key 3. Get a per-table report with exposed row counts

If tables are exposed, the scanner gives you copy-paste SQL to enable RLS + add a default-deny policy. Migrate immediately — automated scrapers check for exactly this bug.

People also ask

How do I check if my API key leaked on GitHub?
Scan your full git history (not just HEAD) for patterns matching your vendor's key format — OpenAI (sk-), Stripe (sk_liv
Will my Lovable app get hacked?
If you shipped a Lovable app without running a security scan, you have roughly a 16% chance of shipping with an exposed