examples
Default Privilege Drift: direct API bypass
Default privilege drift exposed a new API surface via direct access. This example breaks down what shipped, what caused it, the fix that worked, and how to apply the takeaways to your own schema.
Scenario: Default Privilege Drift: direct API bypass (what happened)
A frontend flow appears locked down, but a new table created under permissive defaults still allows client credentials through.
What went wrong in Default Privilege Drift: direct API bypass (root cause)
The defaults granted broad access, so attackers bypassed the UI and the database returned sensitive rows.
What fixed Default Privilege Drift: direct API bypass (actionable change)
Lock down default privileges, enforce backend-only endpoints, and audit new grants as part of each release.
Why the fix works for Default Privilege Drift: direct API bypass
New objects now inherit secure defaults, so the direct API path dies before it reaches production.
Takeaways you can apply
- Default privilege drift is easy to miss.
- Set defaults to deny-by-default and audit them regularly.
- Always check grant changes in migrations.
- Test direct API calls after deploying schema changes.
How to map Default Privilege Drift: direct API bypass to your own schema (make it concrete)
An example becomes actionable when you can point to the exact resource in your project.
- Write down the resource under test (table name, bucket name, function name).
- Write down the intended boundary in one sentence (who should be able to do what, and via which server path).
- List the client code paths that currently reach the resource (direct SDK calls, REST calls, Storage downloads, RPC calls).
- Pick one path and reproduce the risky behavior once (so you’re not guessing).
- Apply the smallest fix that enforces the boundary, then re-test the same path until it fails reliably.
This prevents the common failure mode where a fix works for one UI flow but the underlying API is still reachable directly.
How to reproduce Default Privilege Drift: direct API bypass safely (so you can verify the fix)
- Identify the exact resource involved (table name, bucket name, function name).
- Attempt direct access using the same client credentials your app ships (anon/authenticated).
- Record what succeeds (status code, rows returned, file downloaded) so you can repeat the same test after fixing.
- If the example involves policies: confirm whether RLS is enabled and forced on the table.
- If the example involves Storage: test both object fetch and listing behavior (enumeration often matters).
Signals that confirm the Default Privilege Drift: direct API bypass root cause
- You can access the resource without going through your UI or backend endpoint.
- Access is possible with anon/authenticated credentials even though the app implies it shouldn’t be.
- Policies/grants are broader than intended or not enforced (RLS disabled/not forced).
- The fix requires changing both configuration (grants/policies/bucket settings) and application call paths.
Verification checklist after fixing Default Privilege Drift: direct API bypass
- Repeat the exact same direct access test you used for reproduction and confirm it fails (401/403).
- Confirm the app still works via backend endpoints for authorized users.
- Re-run a scan or checklist queries and confirm the exposure signal is gone.
- Check other environments (staging/prod) — drift is a common cause of “fixed in dev” failures.
Variations and edge cases for Default Privilege Drift: direct API bypass
- The UI may hide a list view, but the REST endpoint can still be called directly.
- IDs and filenames are often enumerable; security should not rely on “hard to guess.”
- A fix that blocks SELECT may still leave INSERT/UPDATE exposed (or vice versa).
- Storage links can be shared or cached; signed URL TTL and bucket privacy both matter.
- RPC can bypass table policies if functions run with elevated privileges.
How to prevent Default Privilege Drift: direct API bypass from coming back (drift guard)
- Add a release checklist item or CI query that flags new public grants/policies/buckets/functions.
- Keep a short runbook: what to test directly when this surface changes.
- Re-scan after migrations and after any change to auth, policies, Storage, or RPC.
What to change in your codebase after fixing Default Privilege Drift: direct API bypass
Most exposure fixes fail because teams change config but keep the same client call paths.
A safer pattern is to make the authorized path explicit in server code:
- Create a backend endpoint for the operation (read/write/download/export).
- Enforce authorization in the endpoint (ownership, membership, tenancy).
- Return only the minimum necessary data (avoid overfetch).
- Update the frontend to call the backend endpoint instead of calling Supabase directly.
This turns the fix into an architectural boundary you can test and monitor.
Step-by-step remediation plan for Default Privilege Drift: direct API bypass (practical)
Use this as a practical sequence you can follow without guessing:
- Identify every client code path that touches the resource (table/bucket/function).
- Implement a backend endpoint that performs the operation with explicit authorization.
- Deploy the backend endpoint first and validate it works for authorized users.
- Switch the frontend to call the backend endpoint (feature flag if needed).
- Revoke direct client access (grants, bucket settings, EXECUTE grants, broad policies).
- Run the verification checklist: direct access must fail; backend must succeed.
- Re-scan and confirm the exposure signal is gone.
- Add a drift guard so the next migration can’t silently reintroduce it.
Post-fix monitoring for Default Privilege Drift: direct API bypass
- Watch for spikes in denied access after tightening permissions (it reveals missed app paths).
- Monitor Storage downloads and RPC calls for unusual patterns (automation and scraping often look different than real users).
- Re-run drift checks after migrations and environment changes so the issue doesn’t silently return.
Post-fix evidence checklist for Default Privilege Drift: direct API bypass
Keep these small artifacts so a teammate can validate the boundary quickly after a migration:
- A saved pre-fix direct access request (the one that succeeded).
- The same request after the fix (must be denied).
- A note describing the authorized backend endpoint path and the authorization rule it enforces.
- A drift guard item you can run after future migrations (scan, checklist query, or release step).
This reduces the chance of silent regressions and makes incident response faster.
Related links
- Topic: Default Privilege Drift →
/examples/default-privilege-drift - Glossary: Default Privilege Drift →
/glossary/default-privilege-drift - Template: Lock down a public table (backend-only access) →
/templates/access-control/lock-down-public-table - Template: Remove over-permissive RLS policies (adopt deny-by-default) →
/templates/access-control/remove-over-permissive-policies
FAQ
How do I know if this example matches my project?
Compare your configuration to the scenario, then attempt direct API access using client credentials. If you can reproduce the behavior, the example is a strong match.
What’s the safest fix if I’m unsure?
Backend-only access is the safest default: revoke direct client privileges and route operations through server endpoints with explicit authorization.
What should I do after applying the fix?
Verify direct client access fails, confirm the app still works via backend endpoints, and re-run a scan to ensure the finding is resolved.
Next step
If you want to see whether your app has similar exposure, run a Mockly scan and compare findings to the examples here.
Explore related pages
sibling
Default Privilege Drift: migration drift regression/examples/default-privilege-drift/migration-drift-default-privilege-drift
sibling
Admin Panel Client-Only Auth: direct API bypass/examples/admin-panel-client-auth-only/direct-api-bypass-admin-panel-client-auth-only