Critical: Most new Supabase & Firebase apps ship with open access

Supabase & Firebase
Security Scanner.
RLS + Rules. Evidence-Based.

SecuriSky probes your deployed app the same way an attacker would: unauthenticated reads, config key extraction, rules analysis. If your data is accessible, you'll know in 60 seconds with exact evidence — not just a warning.

Audit My Database Security Free

No project access needed. Results with real evidence in under 60 seconds.

What gets checked

Active probes, not just static analysis. SecuriSky tries to reproduce what an attacker would do.

Supabase checks

RLS probe — unauthenticated read attempt on public tables
CRITICAL
Anon key exposure in JavaScript bundle (client-side)
HIGH
Storage bucket public read access
HIGH
Auth debug endpoints accessible without JWT
MEDIUM

Firebase checks

Firestore rules allowing public read/write (default state)
CRITICAL
Firebase Storage rules open to unauthenticated access
CRITICAL
Firebase config exposure in JavaScript bundle and HTML
MEDIUM
Realtime Database rules allowing unauthenticated access
HIGH

How the probe works (technical)

Supabase RLS probe

  1. 1.Extract Supabase project URL and anon key from app JS bundle
  2. 2.Attempt GET /rest/v1/{common_table_names} with anon key only
  3. 3.If 200 + rows returned → RLS is off or misconfigured
  4. 4.Report table names that leaked, row count, and sample column names

Firebase rules probe

  1. 1.Extract Firebase config (projectId, apiKey) from app JS bundle or HTML
  2. 2.Attempt unauthenticated Firestore read via REST API
  3. 3.Attempt unauthenticated Firebase Storage GET
  4. 4.Report which operations succeeded and what data was accessible

Findings include real evidence, not just warnings

Unlike theoretical scanners, SecuriSky shows you what it actually found.

CRITICAL — Supabase RLS Disabled

Evidence collected:

GET https://xyz.supabase.co/rest/v1/users → 200 OK

Response: 847 rows returned without authentication

Sample columns exposed: id, email, full_name, created_at, stripe_customer_id

Anon key source: window.__ENV__.NEXT_PUBLIC_SUPABASE_ANON_KEY (client bundle)

FAQ

How does the Supabase RLS probe work?

SecuriSky extracts your Supabase anon key from your app's JS bundle, then attempts unauthenticated reads against common table names. If rows are returned, RLS policies are missing or misconfigured — and SecuriSky reports the exact table, row count, and column names exposed.

Can SecuriSky scan Firebase Security Rules directly?

SecuriSky probes Firebase from the outside: it extracts your Firebase config from the JS bundle, then attempts unauthenticated reads/writes to Firestore and Storage. If this succeeds, your rules are open. SecuriSky validates actual access, not just static rule analysis.

Do I need to give SecuriSky access to my Supabase or Firebase project?

No. All scanning is done against your deployed app URL, the same way an external attacker would probe it. No service role keys, no project access, no source code.

What does 'RLS disabled' actually mean for my users?

If Row Level Security is off on a Supabase table exposed via the REST API, any internet visitor can read all rows — including all user emails, account data, and anything else in that table. This is a full data exposure, not a theoretical concern.

SecuriSky also checks 25+ more things

Security headers (HSTS, CSP, X-Frame-Options, 9 more)
TLS certificate validity and cipher quality
CORS wildcard + credential bypass
Admin route enumeration (80+ paths)
Rate limit absence on auth endpoints
Git and config file public exposure
Performance: Core Web Vitals (LCP, FID, CLS)
Dependency file exposure (package.json, requirements.txt)
Competitor benchmarking (compare your score vs 3 rivals)
Playwright deep scan — JS-rendered content analysis

Is your database actually protected?

Find out in 60 seconds with real evidence — not just a checklist.

Run Supabase + Firebase Audit Free →

No project access needed · Free plan includes all database security checks