Free tool
Supabase RLS Checker
Missing row-level security is the #1 cause of vibe-coded app breaches. Paste your Supabase project URL and public anon key to instantly see which tables are readable without authentication.
Found exposed tables? Get the full picture.
This tool checks anonymous read access only. A full ClearedToShip review covers writes, storage, functions and over-permissive authenticated policies — and ends in a signed, insured clearance. Join early access:
In a hurry? Read how to enable RLS on Supabase or how to add RLS to a Lovable app.
FAQ
- Is it safe to paste my anon key here?
- Yes. The Supabase anon (public) key is designed to be public — it already ships inside your frontend where anyone can read it. We use it only to run the check and never store it.
- What does an 'Exposed' result mean?
- It means that table returned rows to an unauthenticated request using your public key. That's row-level security being off or too permissive — anyone with your anon key could read that data.
- Why do some tables say 'Verify'?
- The table returned no rows. That's either because it's empty or because RLS is correctly blocking access. Re-run once the table has real data to be certain.
Inspired by the open-source supabase-security-checker project. Use only on projects you own or are authorized to test.