Mockly
Blog index
Storage7 min readUpdated 2026-05-15

Supabase Storage private files: avoid bucket, listing, and signed URL leaks

A technical guide to Supabase Storage privacy covering bucket visibility, object listing, object path predictability, signed URL TTL, and backend download flows.

Inside this guide

  • Private files need private buckets plus restrictive storage.objects policies.
  • Object names can leak sensitive context even when file contents are protected.
  • Generate signed URLs server-side after authorization checks, with short TTLs.

A private download is a workflow, not a bucket flag

A private bucket helps, but it is not the whole design. The product still needs a path that proves who is asking for the file, whether they should see it, and how long the access link should live.

Avoid browser-generated signed URLs for sensitive objects. The browser is not the place to hold privileged download authority.

Check bucket visibility and object policies together

Bucket public/private state, object listing permissions, and storage.objects policies combine into the real exposure surface. A private bucket with listable object paths can still leak filenames, tenant identifiers, invoice numbers, and email addresses.

select id, name, public
from storage.buckets
order by name;

select policyname, roles, cmd, qual, with_check
from pg_policies
where schemaname = 'storage'
  and tablename = 'objects'
order by policyname;

Use opaque object keys

Do not put emails, organization names, invoice IDs, or predictable counters in object paths. Use opaque IDs and store business context in protected database rows.

Path predictability matters because attackers can test common prefixes and old links. A private bucket reduces content access, but metadata and request patterns still matter.

Keep signed URLs short and server-issued

Generate signed URLs only after the server checks the current user and target object. Use short TTLs, do not log full URLs, and regenerate on demand.

If a URL must be shared outside the app, treat it as a deliberate public-sharing feature with expiration, revocation, and audit logging.

FAQ

Are signed URLs safe?

They are safe when generated server-side after authorization, kept short-lived, and not stored or logged as permanent links.

Can public buckets be safe?

Only for public assets. User uploads, documents, exports, backups, and invoices should use private buckets.

Mockly

Full security check

Find public Supabase exposure before launch.

Paste your Supabase URL. Mockly shows what's publicly accessible and drafts fixes you can ship.

Paste your Supabase URL

We'll ask for your anon key on the next step.

Example: https://your-project.supabase.co

© 2026 Mockly