Tell Me When Down
How it worksWhat we checkPricing
BlogFree toolsCompareDocs
Log inGet started
All posts
Security for vibe-coded apps

How to secure a Supabase app: the five settings that matter

July 18, 2026·7 min read
A vaulted stone cloister in low light — a database only as secure as the walls built around it.

Supabase isn't insecure. But a Supabase app can be wide open, and almost always for the same reason: the defaults optimize for "it works," not "it's locked down," and the two look identical from the outside. Securing one is mostly a matter of knowing which handful of settings actually matter.

This is the map. Each area below is a place AI-built Supabase apps commonly leak, in rough order of how badly it bites — with the specific deep-dives linked where there's more to say.

1. Row Level Security is the whole game

Your app talks to Supabase from the browser using a public anon key. Everyone who loads the page has it. The only thing standing between that public key and your entire database is Row Level Security: rules that decide which rows each user can touch. RLS off means the public key can read and write everything.

And there's a trap even when it's "on." Supabase enables RLS automatically only for tables you create in the Table Editor — tables created by SQL, a migration, or an AI writing your schema don't get it by default. We cover the whole thing, including the "enabled but still public" policy trap, in is my Supabase database public?

RLS on with a policy of USING (true) is not protection — it means "this rule applies to every row," which lets everyone through. "RLS is enabled" and "my data is private" are separate claims; only real policies make the second one true.

2. Never ship the service_role key

Supabase gives you a second key, the service_role key, that bypasses RLS entirely. It exists for trusted server-side code. If generated code ever puts it in the browser to make an admin action "just work," every policy you wrote is moot — that key is a skeleton key to the whole database, handed to every visitor.

3. Storage buckets have their own rules

RLS protects your tables; it doesn't protect your files. Supabase Storage has its own access policies, and a bucket set public — or left with a permissive policy — exposes uploads to anyone with the URL. If your app stores user documents, invoices, or private images, the bucket policies need the same scrutiny as your tables.

4. Edge Functions and RPCs need their own checks

Anything callable — an Edge Function, a database RPC — has to re-check permissions itself. It's an endpoint, and an endpoint that assumes the caller is allowed because the UI wouldn't show the button is guarding nothing. The auth check belongs in the function, not the frontend.

5. Keep secrets out of the bundle

Third-party API keys, payment secrets, anything private belongs in a server-side environment variable, never in code that ships to the browser. This is the same mistake as the service_role key, one layer out — and it's common enough to have its own post: my API key is showing on my website.

Audit the whole thing at once

The fastest way through all five is to turn the model on its own work and make it check each area honestly:

paste into Claude or ChatGPT
Audit my Supabase app end to end for the security gaps that AI-built apps commonly ship with. Go through each area and tell me specifically whether my project is affected and the exact fix.

1. Row Level Security: list every table in the public schema and whether RLS is ENABLED. Flag any table with RLS off — it's readable/writable by anyone with the anon key.
2. Policies: for each table with RLS on, show the policies and tell me plainly whether they actually restrict rows to the owning user (auth.uid() = user_id) or effectively allow everyone (e.g. USING(true)).
3. Keys: confirm the service_role key is NEVER used in client/browser code — only the anon key. Flag any client init using the service role key.
4. Storage: check my Storage buckets — are any public that shouldn't be, and do bucket policies restrict access correctly?
5. Edge Functions / RPC: are any functions or database RPCs callable without the auth checks they need?
6. Secrets: are any third-party API keys or secrets shipped in the frontend bundle instead of server-side?

For each finding, give me the table/bucket/file, the risk in one sentence, and copy-pasteable SQL or code to fix it.

Supabase's own Row Level Security guide is the reference for the policy side.

The half you can check from outside

Everything above lives in your database and code. The other half — the certificate, the security headers, the cookies — lives on the public URL and is testable in seconds without touching anything:

free tool · no loginSecurity headers checkScan your app's live URL for the headers an app builder leaves unset — clickjacking, sniffing, and downgrade protection. No login.

Built with a specific tool? The same gaps show up host-by-host in Lovable, Bolt.new, and v0 apps — and the cross-cutting version is vibe coding security risks.

Lock the database down today. Know if it changes tomorrow.

The audit above secures your Supabase app now. Tell Me When Down watches it after — SSL that lapses, a URL that starts erroring, a site that goes down — free, no card, so a quiet change doesn't become a public one.

Watch my appfree · no card required
more on security for vibe-coded apps
Is my Supabase database public? RLS, and how to checkYour Supabase anon key is public by design — safe only if RLS is on with a real policy. Tables made outside the Table Editor ship with it off, and USING(true) is still open. Here's how to check if your data is public.My API key is showing on my website — is that bad?An API key visible in your frontend is a shrug or an emergency depending on which kind it is. Public keys (anon, pk_, Maps) are meant to be seen; secret keys are compromised the instant they ship. How to tell, and what to do.Is my app built with AI safe? A non-developer's checkYou built an app with AI, it works, and you're quietly worried it's not safe — but you can't read code. Here are the four plain-English questions that matter, and how to check each one without being a developer.Is Lovable secure? The one setting that decides itA Lovable app can be wide open, and the difference is one setting most builders never touch. The anon-key/RLS model, the gap behind a 2025 CVE, and how to check yours.Is Bolt.new secure? What the generated app leaves openBolt.new builds a working full-stack app fast — which is why the security gets skipped. The usual gaps: a Supabase database with RLS off, secrets in the bundle, UI-only authorization. Here's how to audit yours.Is v0 secure? Keeping a generated Next.js app's secrets inv0's Next.js output looks production-ready, which is the trap. NEXT_PUBLIC_ bakes a var into the bundle, and a secret in a client component ships to the browser. Here's how to check a v0 app keeps its secrets in.Vibe coding security risks: the checklist nobody runsThe appeal of vibe coding is that you don't read every line — which is exactly why the holes get through. Exposed secrets, a database anyone can read, rules enforced only in the UI, and how to close each one.

spot something wrong or out of date? [email protected] — we'll fix it

Tell Me When Down

Uptime and security monitoring for people who'd rather ship than babysit servers. We watch so you can sleep.

product
How it worksWhat we checkPricingDocsBlogFAQ
free toolsWebsite security scanSupabase pause checkRender sleep checkMixed content checkerSecurity headers checkCookie security checkSSL expiry check
comparevs UptimeRobotvs Better Stackvs PingdomFor indie hackers
company
StatusAbout our botSupportPrivacyTerms
© 2026 TellMeWhenDown · tellmewhendown.com