Is Supabase safe?

Supabase ships secure primitives but makes you assemble them. Here is what actually fails in production Supabase apps and how to harden in an afternoon.

TL;DR

Supabase is safe when configured correctly. Most breaches in Supabase-backed apps come from RLS misconfiguration, not from Supabase itself. Their security model is sound; the default app template relies on you to enable RLS per table.

How it fails in production

RLS disabled on new tables

New tables default to RLS-off. Forget to enable it and every row is public to anyone with the anon key.

Service-role key in client code

The service-role key bypasses every RLS policy. Shipping it client-side = full database compromise.

Storage buckets left public

Storage has its own RLS. Public buckets mean public files.

How to ship safely on Supabase

Enable RLS on every table (see /guides/supabase-rls-misconfiguration)
Never use service-role key client-side — anon key only
Set storage buckets to private; use signed URLs for downloads
Read /blog/seven-supabase-mistakes

What Securie covers

Securie's Supabase specialist is first-class. RLS validation, storage policy check, service-role leak detection, all run on every PR.

Verdict

Supabase is safe. Supabase apps with unreviewed AI-generated schemas are routinely not safe.