Your Supabase Is Public
4 months ago
- #Database
- #Supabase
- #Security
- Supabase anon keys are often left unprotected, exposing entire databases.
- Common issue: public users tables without Row Level Security (RLS) enabled.
- Example: fetching user data via simple curl commands with anon key.
- Supabase lacks warnings when creating public tables without RLS.
- Comparison: Pocketbase has better default security settings.
- Concern: many Supabase projects may have exposed databases unknowingly.
- Suggestion: Supabase should improve default security warnings.