← Learn

How do I know if my Supabase database is exposed?

If Row Level Security is off, the public anon key in your frontend can read every table. Here is how to check — safely — whether your Supabase data is downloadable.

This is the single most common way AI-built apps leak data. Your Supabase anon key is supposed to be in your frontend — that part is fine. The danger is whether Row Level Security (RLS) is turned on. With RLS off, that public key can read every row of every table.

The 30-second manual check

1. Open your Supabase dashboard → Table Editor. For each table, look for an "RLS disabled" warning.
2. Or go to Authentication → Policies: a table with no policies and RLS off is wide open.
3. Technical check: a request to https://YOUR-PROJECT.supabase.co/rest/v1/your_table?select=* with just the anon key. If it returns rows, anyone can.

The safe automated check

Shipshape tests this without ever reading your data: after you verify you own the app, it asks the database for a row count only (a HEAD request) — so it can prove "table X is readable and has N rows" while pulling zero rows across the wire. It never sees, stores, or shows your users' data.

If it’s exposed

1. Enable RLS on every table (Supabase → Authentication → Policies).
2. Add policies so a user can only read their own rows — start by denying all, then granting narrowly.
3. Re-check until no table is readable with the anon key alone.

→ Check your Supabase app free

FAQ

Is it bad that my Supabase anon key is in the browser?
No — the anon key is public by design. The risk is whether Row Level Security is enabled. With RLS off, that public key can read your whole database.

How can I test if my database is readable without exposing data?
Ask the API for a row count only (a HEAD request with Prefer: count=exact). That proves a table is readable and how many rows it has without transferring any row data. That is exactly what Shipshape does after you verify ownership.

How do I fix an exposed Supabase database?
Turn on Row Level Security for every table and add policies that limit each user to their own rows.

Related questions

• I leaked my Supabase service_role key — what now?
• Is my Lovable app safe to launch? 5 things to check first
• How to check a Bolt, Replit, v0 or Cursor app before launch
• Firebase security rules for a vibe-coded app