Live audit · 24h delivery · Active probe confirms every leak

Did your AI coder ship your RLS policies? Find out before your users do.

v0, Cursor, Claude, and Bolt make it easy to ship Supabase apps in a weekend. They also happily leave USING (true) in every RLS policy. I scanned 100 random Supabase projects on GitHub — 22% leak user data anonymously. I built this auditor after I found 14 critical leaks in my own production CRM. Run it on yours.

⭐ Featured on Apify Store (#3 in security search) 📦 13+ stacks supported (Supabase, Firebase, Strapi, Directus, Payload, Convex, Hasura, n8n, Ollama & more) 🔓 MIT open source — your token never leaves your machine 🛡️ Active probe (not just metadata)

supabase-security · live demo

What you get

→
Self-contained HTML report — letter grade (A+ to F), severity-ranked findings, charts. Open in any browser. Forward to your team.
→
Active probe on every finding — I don't just say "this looks exposed." I fetch the data live with the anon key from your JS bundle and show you the rows it pulled. No guessing.
→
Copy-paste fix SQL on every finding — ALTER TABLE … ENABLE RLS, REVOKE ALL ON … FROM anon, ALTER FUNCTION … SET search_path. Paste into the Supabase SQL editor.
→
"Apply all" SQL bundle — single transaction at the bottom of the report. Run it inside BEGIN; … ROLLBACK; first to verify, then commit.
→
11+ checks — RLS gaps, SECURITY DEFINER functions executable by anon, default privileges leaking on future tables, public storage buckets, weak password policy, missing CAPTCHA, anonymous sign-ins enabled, realtime publication leaking via WebSocket, search_path injection vectors.
→
24h delivery by email. Most projects scan in <60 seconds. Reading the report and confirming intentional exposures takes the rest.

Pick a tier (one-time payment, no subscription)

Impulse

Top-5 SQL fix bundle, plain text, 12h email

Get $5 fixes

Recurring

Monitoring

$9/mo

Weekly auto-scan + email digest of new leaks

Subscribe $9/mo

Lite

$29

Top 5 fixes + written summary, 24h

Get $29 lite

Full

$99

Every table/bucket + 30d Q&A bundle, 24h

Get $99 full

Pro

Multi-Tenant

$249

Tenant isolation + SECURITY DEFINER + storage + 14d Q&A. PDF + 60-90s Loom. 48h.

Get $249 multi-tenant

Multiple BaaS stacks? Save with the bundle:

📦 BaaS Security Pack — 5 auditors · $99

Supabase + Firebase + PocketBase + Appwrite + Hasura/Nhost — 1 download

After payment: you'll get an email asking for a read-only Personal Access Token (30-second flow). I never ask for service-role keys.

→ See a sample HTML report (the deliverable, generated against an intentionally-leaky test fixture)

⚡ NEW: Free in-browser scan — paste your project URL + anon key, see what's exposed in 5 seconds. Runs locally, nothing sent to my server.

Want to test the auditor first? Run it free on Apify (no install):

▶ Supabase ▶ PocketBase ▶ Appwrite ▶ Hasura/Nhost ▶ Firebase

Free Apify run → you find leaks → buy the $99 written report when you want the full picture + fix SQL bundle.

Why now?

On October 30, 2026, Supabase enforces the new default that tables in public no longer auto-expose to the Data API on EXISTING projects. If you've been on Supabase >6 months, you almost certainly have leaky tables right now. After Oct 30 your app may break in unexpected ways if you don't audit and fix proactively.

Why me?

I built and shipped supabase-security (open source MIT) — the only auditor with active anon-key probe + MCP server for AI coding agents. SaaS competitors charge $49–499/month for what's essentially metadata reads. This is the manual + faster version of that, run by me directly.

FAQ

What permissions do you need? A Supabase Personal Access Token from supabase.com/dashboard/account/tokens. Read access is enough for the audit (the auditor never writes to your project).

Will you keep the token? No. Used only for the audit run. Deleted from my machine after the report is delivered. You can rotate it the moment you receive the report.

What if you find nothing? Money-back. I've never run this on a project that's been live >6 months and found zero issues, but if it happens to you, you don't pay.

Do you offer the fix too? The report ships with copy-paste SQL on every finding. If you want me to apply the fixes for you, that's a separate $199 add-on (we'll discuss after you see the report).

I'd rather just use the open-source tool. Go ahead — github.com/Perufitlife/supabase-security-skill. The $99 saves you the install + interpretation + writing the executive summary for your team. Worth it for some, not for others.

Read first

→ I scanned 100 random Supabase projects. 22% were leaking user data anonymously.

9 min read · breakdown of the 5 patterns that account for 90% of RLS leaks, with copy-paste fixes.

→ Tools I actually use to ship (honest stack notes, some referral links)

🆕 also shipping → aitells.vercel.app

Free detector for AI text fingerprints (em-dashes, "delve", parallel bullets, 9 more). $19 lifetime rewriter that matches your voice. Built after my Reddit account got 2 "all AI generated" public callouts in 24h.

Built by @Perufitlife · Sibling open-source tools: MCP server · PocketBase auditor · Appwrite auditor · Hasura/Nhost auditor · Firebase auditor