Storage Safety templates

What Storage Safety means for Supabase security

Storage exposure often happens when buckets are public or listing is allowed. A safe default is private buckets + signed URLs generated server-side, with predictable filenames avoided.

Storage Safety templates in this library

How Storage Safety fails in real apps

• Relying on “logged in” as authorization (authenticated ≠ authorized).
• Assuming policies work when RLS is disabled.
• Using broad conditions that don’t bind rows to a user/tenant.
• Fixing one table but leaving storage/RPC exposed.

How to fix Storage Safety issues safely

1. Start by removing direct client access to sensitive resources.
2. Centralize authorization in backend endpoints.
3. Use RLS as an additional safety gate (not the only one).
4. Verify fixes with direct access tests and re-scans.

Verification checklist for Storage Safety fixes

1. Identify the exact surface you’re changing (table, bucket, function).
2. Apply the template and keep a rollback path (feature flag or staged rollout) if possible.
3. Attempt direct access using client credentials (it should fail after the fix).
4. Confirm the app still works via backend endpoints for authorized users.
5. Re-run a scan and re-run any SQL checklist queries you use for drift detection.

Common pitfalls when applying Storage Safety templates

• Treating policies as the only control instead of also removing direct client paths.
• Forgetting to repeat the same hardening steps in production (drift between environments).
• Locking down reads but leaving writes exposed (or vice versa).
• Fixing the database but leaving Storage/RPC surfaces publicly accessible.
• Skipping verification and assuming “the UI works” means “it’s secure.”

Related glossary terms

• Supabase Storage Bucket Privacy → /glossary/supabase-storage-bucket-privacy
• Signed URLs → /glossary/signed-urls

How Storage Safety connects to conversions and examples

If you need the “full story” (not just copy/paste SQL), use these cross-playbook links:

• Conversions explain the entire unsafe → safe transformation and reduce missed steps.
• Examples show how the exposure shipped and how to verify your fix is real.

Use sibling category pages to broaden coverage, then return to the templates to apply changes with verification.

How to adapt Storage Safety templates to your schema

• Replace table/bucket/function names carefully and double-check you didn’t widen access accidentally.
• If you have multi-tenant data, make sure every rule binds rows to a tenant boundary (not just “logged in”).
• Prefer smaller, verifiable changes over large refactors; ship one fix, verify, then repeat.
• After applying a template, re-run the same direct access test you used to validate the risk.

Quick validation questions for Storage Safety

Use these questions to confirm you picked the right category and template before you make breaking changes:

• Can I access the resource directly without going through my backend?
• If I revoke client access, do I have a backend endpoint ready to replace it?
• Do I know how to prove the fix worked (one direct access test)?
• Am I fixing all environments (dev/staging/prod) or only one?

Next steps

Pick one template, apply it in staging, and run the verification checklist.

Then re-scan so you catch drift before it becomes an incident.