بلاگ
Practical Supabase security writeups (RLS, grants, Storage, and RPC) with real failure modes, verification steps, and safer backend-only patterns.
Featured topics
Client role grants (anon/authenticated) create an API surface, and misusing them exposes data to any client.
Common pitfall: Granting SELECT to client roles for convenience.
Forcing RLS guarantees ownership filters cannot be bypassed by privileged sessions.
Common pitfall: Enabling RLS but leaving it unforced for convenience.
Any secret placed in a NEXT_PUBLIC variable becomes public, so these env vars can never hold sensitive keys.
Common pitfall: Setting secrets as NEXT_PUBLIC for convenience.
Ownership-bound policies tie rows to a user or tenant; missing that link leaves data open.
Common pitfall: Checking only that `auth.uid()` exists instead of binding ownership.
Public RPC surface area is every function you leave EXECUTE access to client roles, and it tends to grow into a leak.
Common pitfall: Leaving helper RPCs public as requirements change.
Object enumeration happens when buckets allow listing or predictable keys, giving attackers a catalog of files.
Common pitfall: Allowing bucket listing for convenience.
All topics
We only publish topics we can cover with clear failure modes, practical checks, and safe fix patterns. If a topic isn't ready yet, it simply won't show up here.
Admin Panel Client-Only Auth is a Supabase security risk where admin protections live in frontend checks instead of enforceable backend authorization, .
API Cache Leaks Private Data is a Supabase security risk where shared caches return user-specific responses to unauthorized sessions, .
Audit Log Table Publicly Readable is a Supabase security risk where diagnostic or audit tables become queryable by client roles, .
Auth Role Claim Confusion is a Supabase security risk where role mapping is ambiguous and grants unintended privileges to users, .
Billing Webhook Idempotency Gap is a Supabase security risk where billing events are processed multiple times and create inconsistent account states, .
Broad authenticated DELETE grants allow any logged-in user to remove rows.
Broad authenticated SELECT grants let every logged-in user read sensitive tables.
Broad authenticated UPDATE grants let every logged-in user change other people’s rows.
Broken Object Level Authorization happens when each object is not validated against the requester, letting attackers read other users’ data.
Bucket LIST Permission Too Broad is a Supabase security risk where list permissions expose object inventories that assist targeted abuse, .
Bulk Export Endpoint Overexposure is a Supabase security risk where export APIs allow high-volume extraction without strong authorization and limits, .
Client role grants (anon/authenticated) create an API surface, and misusing them exposes data to any client.
CORS Misconfiguration in Edge Functions is a Supabase security risk where permissive CORS allows untrusted origins to trigger privileged flows, .
Cross-Schema Data Exposure is a Supabase security risk where objects in unintended schemas become reachable through grants or API exposure settings, .
CSV Import Trusts Client Columns is a Supabase security risk where import flows allow users to overwrite sensitive fields through crafted headers, .
Data API Custom Schema Misconfiguration happens when teams move to a custom exposed schema but leave permissive grants, search paths, or legacy objects that keep data reachable.
Data API Public Schema Exposure occurs when sensitive tables remain in exposed schemas, making direct REST or GraphQL access possible with client-side credentials.
Database URL Leaked in Client is a Supabase security risk where database connection details leak into browser bundles and deployment artifacts, .
Default Function EXECUTE to PUBLIC is the risk that newly created routines remain callable by broad roles unless explicit revokes/default privileges are applied.
Default privilege drift happens when inherited grants become permissive, exposing every new object you create.
Dependency Drift Misses Security Updates is a Supabase security risk where stale dependencies keep known vulnerabilities in critical runtime paths, .
Edge Function JWT Verification Gap occurs when function handlers skip or misapply token validation, allowing unauthorized execution paths.
Edge Function Service Role Overuse is a Supabase security risk where service role credentials are used in functions that only need limited permissions, .
Environment Parity Security Drift is a Supabase security risk where security controls differ across dev, staging, and production environments, .
Expired Signed URL Caching Leak is a Supabase security risk where cached responses keep files accessible after signed URL expiry windows, .
Exposed materialized views are cached results that leak data the moment you grant clients access.
File Upload MIME Spoofing is a Supabase security risk where uploaded files bypass validation by spoofing content type metadata, .
Forcing RLS guarantees ownership filters cannot be bypassed by privileged sessions.
Generated Columns Leak Sensitive Data is a Supabase security risk where derived columns unintentionally expose sensitive source attributes, .
Guessable Primary Keys is a Supabase security risk where sequential or predictable identifiers simplify unauthorized record discovery, .
Incomplete GDPR Delete Flow is a Supabase security risk where delete flows remove top-level records but leave recoverable personal data behind, .
Insecure Direct Object References happen when object IDs are exposed without authorization checks.
Insecure Edge Function Authentication is a Supabase security risk where edge endpoints process privileged actions before enforcing robust auth checks, .
Insecure Feature Flag Disclosure is a Supabase security risk where flag payloads expose hidden capabilities and internal rollout logic, .
Insecure SECURITY DEFINER Functions is a Supabase security risk where privileged functions execute with elevated rights but lack strict guardrails, .
Invite Flow Tenant Escalation is a Supabase security risk where invitation flows allow membership changes beyond intended tenant scope, .
IPv6 Allowlist Gap is the mistaken assumption that IPv4 restrictions are enough, leaving IPv6 connection routes less constrained than intended.
Leaked JWT Signing Secret is a Supabase security risk where token-signing secrets leak and allow forged authentication tokens, .
Magic Link Open Redirect is a Supabase security risk where authentication links redirect users to attacker-controlled destinations, .
Membership Race Condition is a Supabase security risk where concurrent membership updates create temporary unauthorized access windows, .
Migration Owner Bypass of RLS is a Supabase security risk where owner-level migration scripts bypass policy assumptions and access controls, .
Missing CAPTCHA on Sensitive Flows is a Supabase security risk where high-risk workflows lack anti-automation controls against scripted abuse, .
Missing Column-Level Redaction is a Supabase security risk where applications expose full records when only partial fields should be visible, .
Missing Data Retention Policy is a Supabase security risk where sensitive data is kept indefinitely without lifecycle controls, .
Missing Key Rotation Policy is a Supabase security risk where long-lived secrets persist without rotation, increasing blast radius during incidents, .
Missing Malware Scanning on Uploads is a Supabase security risk where user-uploaded files are served without malware scanning or quarantine workflows, .
Missing Network Restrictions means database and pooler endpoints are reachable from unrestricted IP ranges, increasing brute-force and credential abuse risk.
Missing Rate Limits on Write Paths is a Supabase security risk where write endpoints can be abused for spam, brute force, and denial-of-wallet, .
Missing Webhook Signature Validation is a Supabase security risk where incoming webhooks are trusted without cryptographic authenticity checks, .
Missing WITH CHECK clauses expose write paths even when reads are locked down.
Mutable Function search_path is a Supabase security risk where function execution can be hijacked when search_path is not pinned safely, .
Any secret placed in a NEXT_PUBLIC variable becomes public, so these env vars can never hold sensitive keys.
No Exfiltration Anomaly Detection is a Supabase security risk where large abnormal data reads go unnoticed without baseline monitoring and alerting, .
No Two-Person Review for Privilege Changes is a Supabase security risk where single-actor privilege changes increase risk of accidental or malicious escalation, .
OAuth Role Mapping Errors is a Supabase security risk where external identity attributes are mapped to internal roles without strict checks, .
Object Path Predictability Risk is a Supabase security risk where predictable object paths make private assets easy to enumerate and scrape, .
Orphaned Policies After Table Rename is a Supabase security risk where legacy policies remain detached from intended objects after refactors, .
Over-permissive RLS policies let too many rows through or cover too many actions, defeating the point of row security.
Overloaded RPC Signature Miss is a Supabase security risk where security reviews miss overloaded signatures that remain callable with weaker controls, .
Ownership-bound policies tie rows to a user or tenant; missing that link leaves data open.
Password Reset Token Leakage is a Supabase security risk where reset tokens leak through logs, URLs, or client-side handling, .
pg_graphql Extension Exposure appears when GraphQL remains enabled on schemas or objects that should not be reachable from client credentials.
PII in Analytics Events is a Supabase security risk where tracking events include sensitive fields not needed for product analytics, .
PII in Error Traces is a Supabase security risk where stack traces and error payloads leak personal data across observability systems, .
Policy Drift After Schema Rename is a Supabase security risk where renamed tables and columns silently desynchronize policy behavior, .
Private Key Material in Logs is a Supabase security risk where sensitive key material is accidentally emitted to application and infrastructure logs, .
Public Backup Bucket Leak is a Supabase security risk where backup artifacts become publicly readable through misconfigured storage buckets, .
Public Function Source Disclosure is a Supabase security risk where function definitions leak business logic and internal assumptions to low-privilege roles, .
Public RPC surface area is every function you leave EXECUTE access to client roles, and it tends to grow into a leak.
Public table exposure happens when tables accept anon/authenticated requests without row filters or backend gating, making them effectively open.
Publication Includes Sensitive Tables is a Supabase security risk where logical replication publishes sensitive tables that should never stream to clients, .
Publishable vs Secret Key Scope Confusion is the misuse of key types across client and server boundaries, resulting in over-privileged execution paths.
Realtime Broadcast Overexposure is the accidental publication of sensitive payloads to channels where recipients are broader than intended.
Realtime Channel Authorization Gap is a Supabase security risk where channel subscriptions are accepted without enforcing tenant-aware authorization rules, .
Realtime Presence Data Leak is a Supabase security risk where presence metadata reveals user behavior and identifiers to unauthorized clients, .
Realtime Public Channel Mode is the risk of allowing broad channel subscription without private-channel authorization rules and topic scoping.
Realtime Topic Policy Mismatch occurs when channel topic patterns and RLS authorization logic diverge, allowing unintended subscribers or publishers.
Replication Role Overgrant is a Supabase security risk where replication roles receive privileges beyond strict replication requirements, .
Row Level Security (RLS) is the row-by-row gatekeeper that blocks anon/authenticated clients from touching rows they do not own, but it only protects data when it is enabled and forced.
Row Ownership Transfer Without Recheck is a Supabase security risk where ownership updates are accepted without validating transfer authority, .
RPC Dynamic SQL Injection is a Supabase security risk where function logic builds SQL dynamically from untrusted parameters, .
RPC Error Message Data Leak is a Supabase security risk where error paths disclose stack details, SQL fragments, or sensitive identifiers, .
RPC execute grants control which roles can call Postgres functions, and long-lived PUBLIC/anon grants often outlive their intended use.
RPC Missing Input Validation is a Supabase security risk where RPC handlers accept malformed or dangerous inputs without strict validation, .
RPC Unbounded Result Sets is a Supabase security risk where RPC functions return excessive rows and enable low-cost data scraping, .
Granting USAGE on a schema to PUBLIC exposes everything inside it.
Secrets in Repository History is a Supabase security risk where historical commits expose credentials long after they were removed from current code, .
Service Role Authorization Header Override is when a client initialized for admin use silently runs with user session headers, changing expected privilege behavior.
The service role key must live on the server; leaking it to the browser hands attackers full database control.
Service Role Overreach in Cron Jobs is a Supabase security risk where scheduled jobs run with excessive privileges for routine operations, .
Shadow Table Without RLS is a Supabase security risk where new helper tables ship without RLS and silently expose internal data, .
Signed URLs give temporary, scoped access to private storage objects, but poor signing still leaks data.
Soft Delete Policy Bypass is a Supabase security risk where deleted rows remain accessible because policies do not enforce deleted-state filtering, .
SSO Group Sync Escalation is a Supabase security risk where group sync grants elevated access when role sync rules are too permissive, .
Staging Database Public Exposure is a Supabase security risk where staging deployments expose production-like data with weak controls, .
Stale JWT Claims is a Supabase security risk where authorization decisions rely on outdated claims that no longer match server state, .
Storage Authenticated Endpoint Overtrust is relying on logged-in status alone for private file access without strict path ownership and bucket policy checks.
Storage Lifecycle Policy Missing is a Supabase security risk where old objects remain accessible because storage lifecycle and cleanup policies are absent, .
Object enumeration happens when buckets allow listing or predictable keys, giving attackers a catalog of files.
Storage Upload Size Abuse is a Supabase security risk where uploads lack size limits and create denial-of-wallet and abuse risks, .
Storage bucket privacy means restricting downloads and listings so only authorized backend code can fetch objects.
Trusting tenant IDs from the client lets attackers impersonate other tenants.
Test Data Left in Production is a Supabase security risk where non-production data handling introduces privacy and integrity risks, .
Trigger Privilege Escalation is a Supabase security risk where trigger functions perform privileged operations without clear authorization boundaries, .
Unbounded Pagination Enumeration is a Supabase security risk where pagination controls are weak and allow low-cost full dataset traversal, .
Unencrypted Sensitive Columns is a Supabase security risk where high-risk fields are stored without column-level encryption or tokenization strategy, .
Unrestricted Admin Search Endpoint is a Supabase security risk where search endpoints provide broad access to internal records and metadata, .
Unrestricted PostgREST Origin Proxy is a Supabase security risk where proxy layers forward API requests without validating trusted origins, .
Unrestricted View Definitions is a Supabase security risk where views reveal sensitive joins and fields without sufficient access filtering, .
Untrusted Language Function Risk is the danger of running routines with capabilities that can circumvent normal access boundaries if creation/execution controls are weak.
UPSERT Policy Gap is a Supabase security risk where upsert paths bypass intended checks when insert and update logic diverge, .
View Without Security Barrier is a Supabase security risk where view planning behavior can leak data when security barriers are not applied, .
Weak Tenant Isolation Tests is a Supabase security risk where automated tests fail to prove cross-tenant access is consistently blocked, .
Webhook Replay Attack Risk is a Supabase security risk where valid webhook messages can be replayed to repeat sensitive actions, .