My Supabase database might be public — how do I check?

Updated

Eleven percent of AI-built apps have at least one public Supabase table. Here's how to check yours.

You read a Wiz blog about Moltbook leaking 1.5 million API keys through a Supabase misconfiguration. You realize you don't actually know if your Supabase has the same bug. You've never heard of Row-Level Security. You don't even know where to start.

What happens next

  1. If your tables are public

    Anyone with your Supabase URL and anon key (both public by design — they ship in your app's JavaScript) can read every row in every exposed table.

  2. How attackers find you

    Automated tools scrape public GitHub repos, search JavaScript bundles on live sites, and enumerate Supabase projects. If your app is live, they've already probed it.

  3. What they do with the data

    Exfiltrate everything. Customer records, email addresses, credit-card last-4s, private messages, internal notes. It ends up in data-dump markets within days.

Without Securie

You either don't know about the bug at all, or you manually enable RLS on every table and write policies yourself — which requires understanding Postgres RLS syntax, tenant scoping, and security-model design.

With Securie

Request a Securie review at /scan. Public OSS can start on the capped verification path; private repos use managed plans. For each exposed table, Securie proposes the exact SQL fix as a pull request you can merge without reading code.

Exactly what to do right now

  1. Open Supabase Studio → Authentication → Policies
  2. For every table, confirm RLS is ON (toggle at the top of the policy panel)
  3. For every table with user data, confirm at least one policy references `auth.uid()` or a tenant ID from the JWT
  4. Enable RLS on any table missing it: `alter table <t> enable row level security;`
  5. Add a default-deny policy + per-operation allow-policies scoped by user/tenant
  6. Request Securie access at /scan so Securie review can review the repo once it is enabled