TablesBack to Lab
Tables and schema
Run deep inspection to list tables, review schema visibility, and explore rows in a safe viewer.
Deep inspection
Pulls schema and sample rows from your Supabase project.
Test suite
Authenticationmanual
MFA and token handling
Review token lifetimes and ensure sensitive routes require aal2 after MFA.
Authenticationmanual
Email link poisoning
Confirm redirect urls are allowlisted and email links do not trust forwarded host headers.
Authenticationmanual
Redirect url allowlist
Verify redirect urls and site url are set for production domains.
Authenticationmanual
Public signup exposure
Check if signup is disabled or guarded for production projects.
Authenticationmanual
Bot protection
Verify CAPTCHA is enabled for sign up and recovery flows when needed.
PostgREST and RPCunknown
Schema enumeration via OpenAPI
Detect if the REST schema is visible without auth and list exposed tables.
PostgREST and RPCmanual
Data API schema scope
Ensure only intended schemas are exposed or disable the Data API.
Row level securityunknown
Missing or permissive policies
Compare anon data access against service role access to spot leaks.
Row level securitymanual
Column access controls
Use column privileges for sensitive fields where row policies are not enough.
Row level securitymanual
Search path and helper bypass
Audit policies and security definer functions for search path issues.
Functions and RPCmanual
Exposed helpers and injection
Review public RPC functions and ensure inputs are validated.
Extensionsmanual
SSRF via network extensions
Verify http or pg net extensions are restricted to trusted roles.
Vault and secretsmanual
Secret exfiltration
Ensure vault access is limited and secrets are not exposed to anon.
Edge functionsunknown
Auth and CORS misconfigs
Check if functions enforce auth and do not allow broad CORS origins.
Storageunknown
Cross tenant leaks
Detect public buckets and review object access patterns.
Storagemanual
Ownership and signed url scope
Confirm storage policies enforce owner access and signed urls expire.
Realtime and MCPmanual
Prompt injection and data leaks
Review stored prompts and tool use to avoid data leakage in agents.
Platform widemanual
DDoS and brute force
Verify rate limits, spend caps, and abuse monitoring.
Platform widemanual
Rate limits and custom request rules
Check for throttling or custom checks to prevent abuse beyond RLS.
Platform wideunknown
Service role key exposure
Confirm service role keys are never used in client apps or logs.
Platform wideunknown
CORS allows any origin
Detect broad Access Control Allow Origin on auth and REST endpoints.