Supabase security check

Check if your Supabase tables are protected by RLS

Scans your live app to detect exposed Supabase anon keys and tests whether anonymous reads are blocked. The most common vibe-code security hole.

Supabase anon keys are public by design - they're safe to ship to the frontend IF row-level security is enabled on all tables. The problem: most vibe-coded apps forget to enable RLS, which means anyone who inspects your page source can read (and sometimes write) your entire database. This scanner detects your Supabase project URL and anon key in the page source, then tests whether anonymous REST calls to your API return data.