← All posts
·6 min read·GuardLayer

Is Supabase Secure? What's Safe and What's on You

SupabaseRLSSecuritySecrets

Yes — Supabase is secure enough for production. The platform is SOC 2 Type II compliant and ISO 27001 certified, with data encrypted at rest and in transit. Nearly every Supabase "breach" you read about is not a platform vulnerability — it's a misconfiguration in the app on top: a table with Row Level Security left off, a service_role key that reached the browser, or a secret committed to git.

"Is Supabase secure?" is really two questions wearing one coat. Is the platform secure? Yes, and demonstrably so. Is an app built on Supabase secure? That's entirely up to how you configure it — and it's where essentially all the real-world data leaks come from. Conflating the two is how people end up either needlessly afraid of a solid platform or dangerously overconfident about their own app.

Is the Supabase platform secure?

Yes. Supabase runs on Postgres and AWS infrastructure, is SOC 2 Type II compliant and ISO 27001 certified, encrypts data at rest with AES-256, and serves everything over TLS. Those are the same baseline controls you'd expect from any serious cloud data platform, independently audited. If your worry is "will Supabase itself get popped and leak my database," that's not where your risk lives.

Platform-level vulnerabilities do surface — all software has them — and Supabase patches and discloses them centrally and fast. The vulnerabilities that stay open for months, across thousands of apps, are the ones in application configuration that no vendor can patch for you.

Is Supabase safe for production?

Yes, when you treat the anon key as public and protect every table with RLS — those two habits close the door on the overwhelming majority of incidents. Apps leak not because the platform is unsafe, but because Supabase hands you a loaded default and trusts you to handle it.

That default: new tables ship with Row Level Security turned off. Every table in the public schema is automatically exposed over an auto-generated REST API, reachable with the anon key that lives in your browser bundle. Until you enable RLS and write a policy, that table is world-readable and often world-writable. The platform is secure; the default is permissive; the gap between them is your job.

What that gap costs, in the real world. Early in 2026, security firm Wiz found the AI-built social network Moltbook exposing 1.5 million API tokens, 35,000 email addresses, and private messages — its creator said he "didn't write a single line of code." The root cause was textbook: a Supabase key in client-side JavaScript with no RLS policies behind it. It echoes CVE-2025-48757, where researcher Matt Palmer found 303 endpoints across 170 AI-built Supabase apps leaking data to anyone with the public anon key. Same root cause, different year: not the platform — the configuration.

The three things that decide whether your app is secure

If you get these three right, you've handled the failure modes behind nearly every Supabase data leak.

1. Enable RLS on every table in public. This is the big one. RLS is per-table and off by default, so the table that leaks is usually the one you added later and forgot — sitting right next to the ones you secured. The fix is one line after every CREATE TABLE, and it fails closed — with RLS on and no policy, the table denies everyone. Here's a messages table created with no RLS — exactly the Moltbook shape — and what GuardLayer reports on it. This is live engine output, not a mockup:

guardlayer scan · supabase/migrations/0003_messages.sqlLive engine output
Passed with warnings
92/100 · A
  • Warningsupabase/migrations/0003_messages.sql:1

    Table created without enabling RLS

    Add ALTER TABLE <table> ENABLE ROW LEVEL SECURITY; plus access policies right after the CREATE TABLE.

That table is now readable and writable by anyone holding your anon key. The scanner flags it before it ships; enabling RLS closes it.

2. Keep the service_role key server-side, always. The anon key is gated by RLS. The service_role key bypasses RLS entirely — it's your master key. The catastrophic mistake is letting it reach the browser, usually via a NEXT_PUBLIC_ prefix. If it ships in your bundle, anyone can read and write every row in every table, RLS or not. It belongs only in server code (Route Handlers, Server Actions, Edge Functions).

3. Don't leak secrets. Beyond the service_role key, the usual suspects: API keys hardcoded in source, database URLs in committed config, .env values that slip into the client. Keeping secrets out of the client and out of git is the third leg.

Is the Supabase anon key safe to expose?

Yes — the anon key is designed to be public and ships in your client bundle by design. It's safe because RLS is supposed to be the thing standing between it and your data. That's the catch worth internalizing: the anon key being public is only safe when your RLS is correct. With RLS off, the anon key everyone can see is a skeleton key to the exposed table. The key isn't the vulnerability; the missing policy is.

A 60-second "is my Supabase app secure" check

Run this in the SQL editor to list every public table with RLS still off:

select tablename
from pg_tables
where schemaname = 'public'
  and not rowsecurity;

Anything it returns is reachable by your anon key right now. Then grep your codebase for the two other classics:

# service_role key behind a public prefix?
grep -rn "NEXT_PUBLIC_.*SERVICE_ROLE" .

# hardcoded Supabase keys or URLs in source?
grep -rnE "eyJ[A-Za-z0-9_-]{20,}" --include=*.ts --include=*.tsx .

Clean on all three and you've covered the failure modes behind the incidents above. Or scan the whole repo on every push — GuardLayer checks these (and other Next.js + Supabase footguns) and posts the findings on your PR, so a forgotten table never reaches production.

FAQ

Is Supabase secure? The platform is — it's SOC 2 Type II compliant, ISO 27001 certified, and encrypts data at rest and in transit. Whether an app built on it is secure depends on configuration: enabling RLS on every table, keeping the service_role key server-side, and not leaking secrets. Almost all real-world Supabase data leaks are misconfiguration, not platform flaws.

Is Supabase safe for production? Yes, for production apps that treat the anon key as public and protect every public table with RLS. The platform meets standard enterprise security baselines. The risk is the permissive default — new tables have RLS off — so the work is on you to enable it before launch.

Is Supabase Auth secure? Supabase Auth is a solid, standards-based implementation (JWT sessions, OAuth providers, MFA). As with the database, the security of your usage depends on configuration — verifying sessions server-side, scoping RLS policies with auth.uid(), and not trusting a user id sent from the client. Keep Supabase updated to pick up Auth security patches.

Is the Supabase anon key safe to expose? Yes, by design — it's meant to live in your client bundle and is constrained by your RLS policies. It's only safe when RLS is actually enabled and correctly scoped. The service_role key is the opposite: never expose it, ever.

Why do so many Supabase apps get breached then? Because new tables ship with RLS off, and it's easy to forget — especially in AI-generated code, which is behind incidents like Moltbook and CVE-2025-48757. The platform doesn't leak; the forgotten policy does.

Catch this before it ships — free

GuardLayer scans every push for this and 22 other Next.js + Supabase issues, with the exact fix inline.

No signup, no card — your code is scanned in memory and never stored.

Keep reading