How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Zero Trust Architecture: A Practical Guide for 2026

Your startup probably already looks like a zero trust use case, even if you haven't labelled it that way. The app runs in the cloud, the team works from everywhere, contractors need scoped access, and your backend is exposed through APIs rather than a neat office LAN. The old idea that “inside the network” means “safe” doesn't fit that reality.

What matters now is whether each request earns access. Not whether it came from a VPN, not whether it originated from a private subnet, and not whether the caller is “one of ours”. If you're building on Supabase, Firebase, mobile clients, edge functions, and third-party integrations, that shift isn't academic. It's operational.

A lot of zero trust writing still talks like you're redesigning a giant bank network from scratch. Most startup teams need something else. They need a practical way to apply zero trust architecture to auth flows, database policies, service-to-service calls, and release pipelines without turning security into a six-month architecture project.

What Is Zero Trust Architecture Really

The old model was the castle-and-moat. Keep attackers outside the wall, and anything inside the wall gets treated as trusted. That worked better when systems lived in one data centre, employees sat in one office, and most important traffic stayed on a private network.

That's not your environment now. Your team signs in from home Wi-Fi, airports, coworking spaces, and personal devices. Your application talks to managed databases, storage services, payment providers, analytics tools, and push notification platforms over the internet. The moat is gone, but many teams still behave as if the courtyard is safe.

A diagram comparing the outdated castle-and-moat security model with modern zero trust architecture and its principles.

The mindset shift that matters

A better analogy is a modern office building. You don't let someone roam everywhere because they made it through the front door. They still need the right badge for the lift, the finance floor, the server room, and the records cabinet. Access depends on who they are, what they need, and whether they should be there right now.

That's what zero trust architecture does in technical terms. It removes automatic trust based on network location and replaces it with policy checks on every meaningful access request.

In the UK, this is no longer just vendor language. The NCSC defines zero trust as an approach where inherent network trust is removed, the network is assumed hostile, and every request is verified against access policy. Its guidance also states: “Don't trust any network between the device and the service it's accessing, including the local network.” That comes from the NCSC zero trust architecture design principles.

Practical rule: If your policy changes depending on whether a request came from “inside”, you probably still have a perimeter mindset.

For startup teams, this changes design decisions immediately. Internal admin tools need the same care as customer-facing APIs. Background jobs need scoped credentials, not broad ones. Mobile apps shouldn't be trusted just because they're your app. They still send requests across hostile networks and must prove identity and permissions each time.

What this means in a cloud-native stack

In practice, zero trust architecture is less about buying a magic security product and more about deciding where trust gets evaluated. In a modern stack, those decision points often sit in identity providers, API gateways, database policies, secrets management, and service-to-service authentication.

A useful companion topic is cloud security architecture for modern applications, because zero trust only works when the rest of the platform design supports it.

If your team is also handling distributed staff, personal devices, or contractors, legal and operational issues overlap with security design. This overview of securing remote work environments is worth reading because remote access problems often expose where companies still rely on implicit trust.

The Core Principles of Zero Trust

Zero trust architecture gets clearer when you stop treating it as a slogan and start treating it as a set of operating rules. NIST formalised that shift in NIST SP 800-207, which describes a zero trust architecture as an enterprise cybersecurity architecture based on zero trust principles that uses component relationships, workflow planning, and access policies to control access. NIST also makes the key point that the private network is not an implicit trust zone, and access must be dynamically authenticated and authorised before it's allowed, as set out in NIST SP 800-207.

An infographic showing the three core principles of zero trust architecture: verify explicitly, use least privilege access, and assume breach.

Verify explicitly

Every access request should be checked using the context you have, not waved through because it came from a familiar place. In a startup stack, that usually means evaluating identity, token validity, session state, device posture if you have it, and the specific resource being requested.

Take a finance dashboard. An authenticated user opening the app isn't enough. The system should still ask whether this user can access financial records, whether the session meets your current auth requirements, and whether the requested action is read-only or write-capable.

This principle is one reason teams invest in preventing vulnerabilities early. If auth assumptions get baked into code before review, you spend the next year patching edge cases that should never have existed.

Use least privilege access

Least privilege sounds simple, but teams often get it wrong by granting access at the role level and never revisiting it. “Engineer”, “admin”, and “service account” become oversized buckets.

A better model is narrower:

For users: grant access to the specific records, screens, or actions they need.
For services: issue separate credentials for each workload instead of sharing one broad secret.
For operations: keep powerful access short-lived and purposeful, especially for production tasks.

Here's the test. If one compromised token would let an attacker read unrelated customer data, alter billing settings, and invoke backend jobs, the permissions are too wide.

Assume breach

This isn't pessimism. It's design discipline. If a phone is stolen, a token is leaked, or a third-party package exposes credentials, what happens next?

Build your controls as if an attacker will eventually get a foothold. Then force them to hit another check at each next step.

That means separating admin surfaces from user surfaces, isolating high-value operations, narrowing database policies, and logging enough detail to understand what was attempted. “Assume breach” doesn't mean panic. It means you stop making single-point trust decisions.

A Phased Migration to Zero Trust

Organizations often fail with zero trust because they approach it like a giant replacement programme. That's usually a mistake. The better path is phased adoption, where each step reduces risk on its own and prepares the next one.

There's good reason for that approach. Many guides make microsegmentation sound like the centrepiece of the whole model, but recent UK government and NCSC-aligned guidance has leaned toward phased adoption and risk-based prioritisation instead of full-stack transformation. The practical point is that organisations can get much of the benefit from stronger MFA, privileged access management, and better visibility before deep segmentation. NIST's framing is also narrower than a lot of marketing. It focuses on reducing uncertainty in least-privilege access decisions, not on segmenting everything by default, as discussed in this overview of zero trust architecture and phased adoption.

A five-step infographic illustrating a phased migration strategy for implementing a comprehensive zero trust security architecture.

Phase one starts with visibility

Before you write policy, find out what exists.

You need an inventory of:

Identities: users, admins, contractors, service accounts
Assets: databases, storage buckets, internal tools, mobile apps, CI jobs
Paths: which systems talk to which, and what credentials they use

Teams often want to jump to enforcement. Don't. If you can't see the assets and trust paths, your policies will either miss critical routes or break normal work.

This is especially important in hybrid environments where some pieces still sit outside your main cloud platform. A useful reference point is security for hybrid cloud environments, because hybrid sprawl is where invisible trust relationships tend to survive longest.

Identity usually delivers the fastest win

For most startups, the highest-value early controls are identity-centred.

Start with:

MFA for privileged accounts
Role review for admin access
Shorter-lived credentials where your tooling supports it
Removal of shared operator accounts
Stronger separation between production and non-production access

These steps don't give you a complete zero trust architecture. They do remove a lot of silent risk quickly.

Device and session trust come next

If your team uses laptops with access to production consoles, code repositories, and deployment systems, the device itself matters. A valid user on an unmanaged or unhealthy device shouldn't look identical to the same user on a trusted workstation.

You don't need perfect endpoint maturity on day one. You do need to stop acting as though identity alone settles every question.

Use segmentation where it solves a real problem

Microsegmentation has value, but it's often overprescribed. Apply it where lateral movement would hurt you most: admin networks, production databases, internal control planes, and sensitive back-office systems.

A simple decision table helps.

| Situation | Good first move | What to avoid | |---|---|---| | Broad admin access | Tighten roles and MFA | Building complex network zones before fixing permissions | | Unclear service-to-service trust | Map calls and separate credentials | Reusing one secret across workloads | | Sensitive internal systems | Add segmentation around critical assets | Segmenting low-risk systems first | | Limited staff time | Prioritise highest-risk paths | Trying to redesign the whole estate at once |

Zero trust done in phases is still zero trust. Partial enforcement around the most important assets beats a grand design that never ships.

Automate the policy lifecycle

The final step is making controls repeatable. That means policy-as-code where possible, automated checks in delivery pipelines, and alerts when someone opens a path that should stay closed.

If every exception requires manual memory and tribal knowledge, the architecture won't hold for long.

Implementing Zero Trust with Supabase and Firebase

Startup teams can make zero trust architecture concrete. Supabase and Firebase already give you parts of the control plane. The mistake is assuming the platform gives you a secure model by default. It gives you building blocks. You still have to assemble the policy.

A hand-drawn illustration showing a developer coding on a laptop with Supabase, Firebase, and zero trust architecture symbols.

A mobile app request in the real world

Say you run a mobile app with user profiles, subscription data, and private messages.

The user opens the app on a train, logs in, and requests their data. Under a perimeter model, you might think: authenticated user, valid app, request allowed. Under a zero trust model, the path is stricter:

The app presents a valid identity token.
The backend checks that token on every request.
The data layer evaluates whether this user may read this specific row or document.
Sensitive actions, such as changing billing details or accessing admin features, require stronger conditions.

That's the key point. Auth gets the user into the conversation. Policy decides what they can do.

Supabase patterns that fit zero trust

Supabase maps cleanly to zero trust when you use it deliberately.

Treat Row Level Security as your policy engine

If you're using Postgres through Supabase, Row Level Security should enforce who can read or write each record. Don't rely on the frontend to filter data after retrieval. If the query can fetch it, assume an attacker can too.

A strong pattern looks like this:

User-scoped tables: policies compare row ownership to the authenticated user ID.
Team data: policies check membership and role in the relevant organisation.
Admin actions: route through carefully designed functions rather than broad table access.

Weak patterns show up fast. “Authenticated users can read all rows” is not zero trust. Neither is a policy that works for demos but exposes neighbouring tenant data.

Be careful with service-role usage

Supabase service-role keys are powerful. They belong on trusted server-side systems only, never in mobile apps, client bundles, or browser code. If a frontend needs broad privileges to function, the architecture is wrong.

Use edge functions or your own backend to hold privileged operations. Then make those functions perform their own checks before touching protected data.

Secure RPCs like application endpoints

Teams often lock down table access, then forget about database functions. An RPC that bypasses the intended access pattern can undo your whole policy model.

Review each function as if it were a public API method:

what identity reaches it
what it can read or change
whether it executes with higher privileges
whether its inputs can be abused to cross tenant boundaries

Firebase needs the same discipline

Firebase developers run into a similar problem with different tooling. Authentication is usually easy to switch on, which creates a false sense of safety. But signed-in is not the same as authorised.

Security rules must mirror your access model

For Firestore or Realtime Database, the rules need to express ownership, tenancy, and operation-level restrictions. “User is authenticated” is rarely enough for private or multi-tenant data.

For Cloud Storage, the same principle applies. Don't let broad authenticated access expose uploaded documents, exports, or internal assets.

Separate client and server trust

Cloud Functions, admin SDK usage, and background tasks need their own privilege boundaries. If a callable function accepts user-controlled input and then performs admin-level actions without careful checks, you've recreated implicit trust through application logic.

The platform doesn't break zero trust. Shortcuts do.

What works best for small teams

For early-stage teams, a practical implementation pattern usually looks like this:

Authentication at the edge: Supabase Auth or Firebase Authentication issues identity.
Authorisation at the data layer: RLS or security rules decide per request.
Privileged actions through a narrow backend path: edge functions, Cloud Functions, or a small API layer.
Separate secrets by environment and workload: don't share one key across apps, scripts, and operators.
Internal services treated like external callers: they authenticate, they get scoped permissions, and they're logged.

That combination is far more realistic than trying to buy “zero trust” as a product category.

Verifying Your Zero Trust Implementation

A zero trust design isn't finished when the policies are written. It's finished when you've proved the policies behave the way you think they do.

That sounds obvious, but many teams still verify security with spot checks. They log in as one test user, run a few queries, click through an admin screen, and assume things are fine. That catches gross mistakes. It misses subtle exposure paths.

Why manual checking breaks down

Manual verification has three recurring weaknesses.

First, people test the happy path. They confirm that the right user can access the right data, but they don't aggressively test whether the wrong user can access it too.

Second, they test visible interfaces and ignore indirect paths. A locked-down table may still be reachable through an RPC, a callable function, a background endpoint, or an overlooked storage rule.

Third, they test once. Zero trust controls change whenever schemas, roles, app features, and service integrations change. A policy that was safe last month may leak data after one rushed release.

What automated verification should actually do

For modern stacks, automated security scanners are useful because they behave more like an unfriendly reviewer than a checklist.

The right kind of scanner should validate whether your controls hold up under pressure:

RLS logic testing: try read and write patterns across user boundaries to detect real leakage
RPC discovery: find database functions or endpoints that bypass intended auth paths
Client secret inspection: inspect web bundles and mobile builds for exposed keys or hardcoded credentials
Regression detection: catch when a schema or rule change weakens an existing control

A helpful supporting discipline is cloud security analytics for ongoing validation, because good analytics tell you what happened while active testing tells you what's possible.

What to verify in Supabase and Firebase

If you're using Supabase, focus on whether RLS policies isolate tenants, whether storage policies match the same model, and whether privileged functions can be reached in unexpected ways.

If you're using Firebase, check whether rules protect reads and writes symmetrically, whether callable functions perform their own authorisation, and whether mobile apps expose credentials or configuration that widens access beyond what you intended.

A short verification checklist helps keep this concrete:

| Control area | Question to test | |---|---| | Auth | Can an expired, altered, or low-privilege identity still reach sensitive operations? | | Data access | Can one user read or modify another user's records? | | Functions | Does any backend function act with more privilege than the caller should have? | | Storage | Are uploaded files and exports scoped correctly per user or tenant? | | Frontend and mobile | Are secrets, keys, or internal endpoints exposed in shipped clients? |

Security controls you don't test will eventually become assumptions. Assumptions are where most application breaches start.

Common Pitfalls and How to Avoid Them

The hardest part of zero trust architecture isn't understanding the model. It's avoiding the shortcuts that allow perimeter thinking to creep back into the system.

The product trap

Teams buy a ZTNA tool, identity platform, or firewall and conclude they've “done zero trust”. They haven't. Products can enforce parts of the design, but zero trust architecture is the policy model across your whole stack.

Avoid this by writing down trust decisions in plain language. Who can access what, under which conditions, through which paths. Then map tools to those decisions.

The user experience trap

Security teams sometimes pile on prompts and restrictions until normal work becomes painful. Users then find workarounds, developers add exceptions, and the architecture becomes theatre.

Use friction where the risk justifies it. Keep common, low-risk flows smooth. Add stronger checks around admin actions, sensitive data, and unusual context changes.

The visibility gap

You can't protect assets you don't know about. Startups especially accumulate shadow systems fast: abandoned Firebase projects, test Supabase instances, old mobile builds, forgotten storage buckets, helper scripts with production credentials.

Avoid this with recurring inventory reviews. Include apps, secrets, service accounts, functions, scheduled jobs, and third-party integrations. If it can touch production data, it belongs on the map.

The internal trust fallacy

This is the one I see most often in modern app stacks. Teams secure customer-facing endpoints, then let backend jobs, database functions, and internal tools trust each other too broadly because they're “inside”.

They're not inside anything meaningful. They're just other callers.

Use scoped credentials for service-to-service traffic. Authenticate internal calls. Log them. Apply authorisation checks even when the caller is your own codebase.

A practical closing checklist

Before calling your implementation “zero trust”, check these points:

Every important request is authorised: not just authenticated
Frontend code holds minimal privilege: no hidden server powers in client apps
Privileged paths are narrow: admin actions don't share the same route as normal user traffic
Policies are tested continuously: not only during launch week
Internal systems are treated as hostile by default: they must prove access too

That's the standard. Not perfection. Not a giant transformation deck. Just a system where trust is earned, scoped, and continuously checked.

If you're building on Supabase, Firebase, or shipping mobile apps, AuditYour.App gives you a practical way to verify that your zero trust controls hold up. You can scan for exposed RLS rules, unprotected RPCs, leaked API keys, hardcoded secrets, and logic flaws that manual reviews often miss, then fix issues before they turn into user-facing incidents.