11% of vibe-coded apps are leaking Supabase keys
4 months ago
- #Developer-Tools
- #Supabase
- #Security
- Supabase is not insecure by design; it includes robust security features like Row Level Security (RLS) and role-based API keys.
- Common security issues arise from developer mistakes, such as AI-generated insecure boilerplate or misconfigured environment variables.
- In 2024-2025, tools like Supabase, AI assistants, and no-code builders made full-stack app development faster but introduced security risks.
- A scan of indie product directories revealed many apps misconfiguring Supabase, exposing service_role keys or lacking RLS policies.
- The service_role key bypasses RLS, allowing full database access if exposed, contrary to Supabase's guidelines.
- Exposure rates varied across directories, with TrustMRR having the highest rate at 23.76%.
- Leaks often occur in JavaScript bundles, sometimes due to framework auto-exposure of environment variables.
- Common causes include AI-generated code, skipped backend configurations, and copy-paste tutorials omitting security steps.
- To fix issues, rotate keys, audit environment variables, move sensitive operations to the backend, enable RLS, and add build-time checks.
- SupaExplorer offers tools to scan and fix security misconfigurations, helping developers secure their Supabase projects.