Find RLS bypasses, exposed data, and authentication flaws before attackers do. Our AI-powered penetration testing probes your Supabase APIs in minutes, not days.
3 free pen tests included. No credit card required.
Row Level Security (RLS) misconfigurations are the most common cause of data breaches in Supabase projects. One forgotten policy can expose your entire user database.
A single table without RLS enabled can expose thousands of user records to anyone with your public API URL.
Supabase auto-generates REST endpoints for every table. Sensitive tables may be exposed without you realizing it.
Weak RLS policies can allow users to access data belonging to other accounts, violating data privacy.
Get comprehensive security insights without complex setup or security expertise.
Enter your Supabase project URL and optionally provide your anon key for deeper testing. That's all we need to get started.
Our AI agent automatically tests your API endpoints for RLS bypasses, data exposure, CORS issues, and authentication flaws. Takes 1-3 minutes.
Get actionable findings with severity ratings, evidence of the vulnerability, and step-by-step remediation guidance.
We test for the most common and dangerous Supabase security vulnerabilities.
Discovers Row Level Security misconfigurations that could allow unauthorized access to user data.
Identifies tables returning personal information like emails, phone numbers, or payment details.
Detects tables accessible without authentication that should require login.
Tests for auth weaknesses, exposed admin routes, and weak session handling.
Checks for public storage buckets containing private user files.
Identifies wildcard CORS policies that allow any website to access your API.
Built specifically for Supabase developers who want actionable security insights.
Only reports issues you can actually fix in your Supabase dashboard or application code. No noise from platform-level configurations.
Read-only security testing that is safe to run on production. We never modify data or disrupt your application.
Get comprehensive security findings in 1-3 minutes. Watch progress in real-time as tests execute.
Purpose-built for Supabase projects. Tests RLS policies, storage buckets, and API endpoints specific to the Supabase architecture.
Real examples of the security findings our pen testing uncovers.
The "users" table has Row Level Security disabled, exposing all user records to anyone with the anon key.
Evidence
curl response returned 847 user records including email addresses Recommendation
Enable RLS on the users table and create appropriate policies for authenticated access.
The "profiles" table returns email addresses in the public API response without authentication.
Evidence
GET /rest/v1/profiles?select=* returned email field for all users Recommendation
Restrict the email column with RLS or remove it from the public schema.
CORS is configured to allow requests from any origin, potentially enabling cross-site attacks.
Evidence
Access-Control-Allow-Origin: * in response headers Recommendation
Configure CORS in Supabase dashboard to only allow your application domains.
Yes, absolutely. Our penetration testing is completely non-destructive and read-only. We only make GET requests and OPTIONS requests to probe your API. We never modify, delete, or create any data in your database.
The anon key is optional but recommended. Without it, we can only test basic CORS configuration and endpoint discovery. With the anon key, we can perform deeper testing of RLS policies, table enumeration, and data exposure. The anon key is designed to be public, so sharing it is safe.
Most tests complete in 1-3 minutes. You can watch the progress in real-time as our AI agent executes various security tests against your Supabase API.
That's great news! It means your Supabase security configuration is following best practices. We still provide a summary of what was tested and verified, giving you confidence in your security posture.
Currently, our API security testing is purpose-built for Supabase projects. It specifically tests Supabase's RLS policies, storage buckets, and REST API patterns. We may support other platforms in the future.
Code scanning (like Semgrep) analyzes your source code for vulnerabilities. API penetration testing actually probes your live API to find runtime misconfigurations. Both are important - code scanning catches bugs before deployment, pen testing catches configuration issues in production.
Automated scheduling is available on our Enterprise plan. This allows you to run security tests on a regular cadence and get alerted when new vulnerabilities are detected.
Start with 3 free pen tests. No credit card required.
Start Free TestingJoin developers who trust CursorGuard to secure their Supabase projects.