Is my Supabase public?
Your Supabase is public by default on any table without Row-Level Security enabled. Anyone with your anon key (which ships in your app's JavaScript) can read those tables. You can check yourself in Supabase Studio — or request Securie access for a plain-English per-table report.
Here's the honest answer: new Supabase tables default to RLS-off. If you didn't explicitly enable RLS + write policies on every table, anyone can read them.
Why it happens: - Lovable / Bolt / Cursor generate migrations but don't always enable RLS - Tutorials skip RLS for simplicity - The `anon` key is designed to be public — it ships to every user of your app
How to check yourself, now: 1. Open your Supabase dashboard → Authentication → Policies 2. For every table with user data, confirm RLS is ON and there's at least one policy referencing `auth.uid()` 3. In SQL editor, run `SELECT tablename FROM pg_tables t LEFT JOIN pg_policies p USING (tablename) WHERE t.schemaname='public' AND p.tablename IS NULL;` — any table in the result has no policies
If tables are exposed, enable RLS + add a default-deny policy, then per-operation allow-policies scoped by `auth.uid()`. Migrate immediately — automated scrapers check for exactly this bug.
When your repo is enabled, Securie will run this exact audit + propose the SQL fix as a PR. Request a review at /scan for your project.