Live audit · 24h delivery · Active probe confirms every leak

I'll find your backend's leaky tables — from $29.

I scanned my own production project last week and found 17 publicly readable tables I had no idea about. b2b_leads, engagement_emails, internal growth metrics — anyone with the anon key from the JS bundle could read or delete them. I'll do the same scan for yours.

⭐ Featured on Apify Store (#3 in security search) 📦 5 ecosystems supported (Supabase, PocketBase, Appwrite, Hasura, Firebase) 🔓 MIT open source — your token never leaves your machine 🛡️ Active probe (not just metadata)

What you get

→
Self-contained HTML report — letter grade (A+ to F), severity-ranked findings, charts. Open in any browser. Forward to your team.
→
Active probe on every finding — I don't just say "this looks exposed." I fetch the data live with the anon key from your JS bundle and show you the rows it pulled. No guessing.
→
Copy-paste fix SQL on every finding — ALTER TABLE … ENABLE RLS, REVOKE ALL ON … FROM anon, ALTER FUNCTION … SET search_path. Paste into the Supabase SQL editor.
→
"Apply all" SQL bundle — single transaction at the bottom of the report. Run it inside BEGIN; … ROLLBACK; first to verify, then commit.
→
11+ checks — RLS gaps, SECURITY DEFINER functions executable by anon, default privileges leaking on future tables, public storage buckets, weak password policy, missing CAPTCHA, anonymous sign-ins enabled, realtime publication leaking via WebSocket, search_path injection vectors.
→
24h delivery by email. Most projects scan in <60 seconds. Reading the report and confirming intentional exposures takes the rest.

Pick a tier (one-time payment, no subscription)

Most popular

Lite

$29

Top 5 critical findings + fix snippets, 24h

Get $29 lite audit

Best for solo devs / MVPs. Upgrade to full anytime.

Full

$99

Every table/policy/bucket + executive summary + fix SQL bundle

Get $99 full audit

Best for production apps + multi-tenant. Money-back if I find nothing real.

After payment: you'll get an email asking for a read-only Personal Access Token (30-second flow). I never ask for service-role keys.

→ See a sample HTML report (the deliverable, generated against an intentionally-leaky test fixture)

⚡ NEW: Free in-browser scan — paste your project URL + anon key, see what's exposed in 5 seconds. Runs locally, nothing sent to my server.

Want to test the auditor first? Run it free on Apify (no install):

▶ Supabase ▶ PocketBase ▶ Appwrite ▶ Hasura/Nhost ▶ Firebase

Free Apify run → you find leaks → buy the $99 written report when you want the full picture + fix SQL bundle.

Why now?

On October 30, 2026, Supabase enforces the new default that tables in public no longer auto-expose to the Data API on EXISTING projects. If you've been on Supabase >6 months, you almost certainly have leaky tables right now. After Oct 30 your app may break in unexpected ways if you don't audit and fix proactively.

Why me?

I built and shipped supabase-security (open source MIT) — the only auditor with active anon-key probe + MCP server for AI coding agents. SaaS competitors charge $49–499/month for what's essentially metadata reads. This is the manual + faster version of that, run by me directly.

FAQ

What permissions do you need? A Supabase Personal Access Token from supabase.com/dashboard/account/tokens. Read access is enough for the audit (the auditor never writes to your project).

Will you keep the token? No. Used only for the audit run. Deleted from my machine after the report is delivered. You can rotate it the moment you receive the report.

What if you find nothing? Money-back. I've never run this on a project that's been live >6 months and found zero issues, but if it happens to you, you don't pay.

Do you offer the fix too? The report ships with copy-paste SQL on every finding. If you want me to apply the fixes for you, that's a separate $199 add-on (we'll discuss after you see the report).

I'd rather just use the open-source tool. Go ahead — github.com/Perufitlife/supabase-security-skill. The $99 saves you the install + interpretation + writing the executive summary for your team. Worth it for some, not for others.

Built by @Perufitlife · Sibling open-source tools: MCP server · PocketBase auditor · Appwrite auditor · Hasura/Nhost auditor · Firebase auditor