Is Supabase safe?
Supabase ships secure primitives but makes you assemble them. Here is what actually fails in production Supabase apps and how to harden in an afternoon.
Supabase is safe when configured correctly. Most breaches in Supabase-backed apps come from RLS misconfiguration, not from Supabase itself. Their security model is sound; the default app template relies on you to enable RLS per table.
How it fails in production
RLS disabled on new tables
New tables default to RLS-off. Forget to enable it and every row is public to anyone with the anon key.
Service-role key in client code
The service-role key bypasses every RLS policy. Shipping it client-side = full database compromise.
Storage buckets left public
Storage has its own RLS. Public buckets mean public files.
How to ship safely on Supabase
- Enable RLS on every table (see /guides/supabase-rls-misconfiguration)
- Never use service-role key client-side — anon key only
- Set storage buckets to private; use signed URLs for downloads
- Read /blog/seven-supabase-mistakes
Securie's Supabase specialist is first-class. RLS validation, storage policy check, service-role leak detection, all run on every PR.
Verdict
Supabase is safe. Supabase apps with unreviewed AI-generated schemas are routinely not safe.