I'll find your backend's leaky tables — from $29.

I scanned my own production project last week and found 17 publicly readable records I had no idea about. users, orders, internal admin documents — exposed via match /{doc} or allow read:if true rules. I'll do the same scan for yours.

⭐ Featured on Apify Store (#3 in security search) 📦 5 ecosystems supported (Supabase, PocketBase, Appwrite, Hasura, Firebase) 🔓 MIT open source — your token never leaves your machine 🛡️ Active probe (not just metadata)

What you get

→
Self-contained HTML report — letter grade (A+ to F), severity-ranked findings, charts. Open in any browser. Forward to your team.
→
Active probe on every finding — I don't just say "this looks exposed." I fetch the data live with the anon key from your JS bundle and show you the rows it pulled. No guessing.
→
Copy-paste fix SQL on every finding — ALTER TABLE … ENABLE RLS, REVOKE ALL ON … FROM anon, ALTER FUNCTION … SET search_path. Paste into the Supabase SQL editor.
→
"Apply all" SQL bundle — single transaction at the bottom of the report. Run it inside BEGIN; … ROLLBACK; first to verify, then commit.
→
11+ checks — RLS gaps, SECURITY DEFINER functions executable by anon, default privileges leaking on future tables, public storage buckets, weak password policy, missing CAPTCHA, anonymous sign-ins enabled, realtime publication leaking via WebSocket, search_path injection vectors.
→
24h delivery by email. Most projects scan in <60 seconds. Reading the report and confirming intentional exposures takes the rest.

Pick a tier (one-time payment, no subscription)

Impulse

Top-5 SQL fix bundle, plain text, 12h email

Get $5 fixes

Recurring

Monitoring

$9/mo

Weekly auto-scan + email digest of new leaks

Subscribe $9/mo

Lite

$29

Top 5 fixes + written summary, 24h

Get $29 lite

Full

$99

Every table/bucket + 30d Q&A bundle, 24h

Get $99 full

Pro

Multi-Tenant

$249

Tenant isolation + SECURITY DEFINER + storage + 14d Q&A. PDF + 60-90s Loom. 48h.

Get $249 multi-tenant

After payment: you'll get an email asking for a read-only Personal Access Token (30-second flow). I never ask for service-role keys.

→ See a sample HTML report (the deliverable, generated against an intentionally-leaky test fixture)

⚡ NEW: Free in-browser scan — paste your project URL + anon key, see what's exposed in 5 seconds. Runs locally, nothing sent to my server.

Want to test the auditor first? Run it free on Apify (no install):

▶ Supabase ▶ PocketBase ▶ Appwrite ▶ Hasura/Nhost ▶ Firebase

Free Apify run → you find leaks → buy the $99 written report when you want the full picture + fix SQL bundle.

Why now?

Firebase ships with locked rules for new projects but old ones still have the permissive testMode rules. Audit before they expire and break, or worse, leak.

Why me?

I built and shipped firebase-security-skill (open source MIT) — the only auditor with active anon-key probe + MCP server for AI coding agents. SaaS competitors charge $49–499/month for what's essentially metadata reads. This is the manual + faster version of that, run by me directly.

FAQ

What permissions do you need? your Firebase service account JSON (revoke 30s after). Read access is enough — the auditor never writes to your project.

Will you keep the token? No. Used only for the audit run. Deleted from my machine after the report is delivered. You can rotate it the moment you receive the report.

What if you find nothing? Money-back. I've never run this on a project that's been live >6 months and found zero issues, but if it happens to you, you don't pay.

Do you offer the fix too? The report ships with copy-paste SQL on every finding. If you want me to apply the fixes for you, that's a separate $199 add-on (we'll discuss after you see the report).

I'd rather just use the open-source tool. Go ahead — github.com/Perufitlife/firebase-security-skill. The $99 saves you the install + interpretation + writing the executive summary for your team. Worth it for some, not for others.

Built by @Perufitlife · Sibling open-source tools: MCP server · PocketBase auditor · Appwrite auditor · Hasura/Nhost auditor · Firebase auditor