How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

BaaS Compliance Checklist

Using a backend-as-a-service platform like Supabase or Firebase does not exempt you from data protection regulations. You remain the data controller and are responsible for how user data is collected, processed, stored, and deleted. This checklist covers the key compliance areas.

1. Identify Applicable Regulations

Before building, determine which regulations apply to your application:

GDPR (EU): Applies if you process data of EU residents, regardless of where your company is based.
CCPA/CPRA (California): Applies if you serve California residents and meet certain thresholds.
HIPAA (US Healthcare): Applies if you handle Protected Health Information.
SOC 2: Not a regulation but a common audit framework for SaaS companies.
PCI DSS: Applies if you handle credit card data directly (note: using Stripe Checkout offloads most PCI requirements).

2. Data Subject Rights

Both GDPR and CCPA require you to support user rights. Implement these features:

Right to Access / Data Export:

// Supabase: Export all user data
async function exportUserData(userId: string) {
  const { data: profile } = await supabase
    .from('profiles').select('*').eq('id', userId).single();
  const { data: scans } = await supabase
    .from('scans').select('*').eq('user_id', userId);
  const { data: files } = await supabase.storage
    .from('uploads').list(userId);

  return { profile, scans, files };
}

Right to Deletion / Right to be Forgotten:

async function deleteUserData(userId: string) {
  // Delete from all tables (cascade or manual)
  await supabase.from('scans').delete().eq('user_id', userId);
  await supabase.from('profiles').delete().eq('id', userId);

  // Delete storage files
  const { data: files } = await supabase.storage.from('uploads').list(userId);
  if (files?.length) {
    const paths = files.map(f => `${userId}/${f.name}`);
    await supabase.storage.from('uploads').remove(paths);
  }

  // Delete auth account
  await adminClient.auth.admin.deleteUser(userId);
}

Ensure deletion cascades through all tables, storage buckets, and third-party services (analytics, email providers, etc.).

3. Data Processing Inventory

Maintain a living document that records:

What personal data you collect (email, IP address, usage data, etc.)
Why you collect it (legal basis under GDPR)
Where it is stored (Supabase region, Firebase region, third-party services)
Who has access (team members, BaaS provider, subprocessors)
How long it is retained

4. Data Residency

Choose your BaaS provider's region based on where your users are located:

Supabase: Select a project region in the dashboard (e.g., eu-west-1 for EU compliance).
Firebase: Firestore and Cloud Storage regions are set at creation time and cannot be changed.

Verify that all services (auth, database, storage, functions) are in the same region. Some services may default to us-central1 even if your database is in Europe.

5. Consent Management

If you are subject to GDPR:

Collect explicit consent before processing personal data for purposes beyond core functionality (analytics, marketing emails, etc.).
Record when and how consent was given.
Allow users to withdraw consent at any time.
Do not use pre-checked checkboxes.

Implement a consent management UI and store consent records:

CREATE TABLE consent_records (
  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
  user_id UUID REFERENCES auth.users(id),
  consent_type TEXT NOT NULL,  -- 'analytics', 'marketing', etc.
  granted BOOLEAN NOT NULL,
  granted_at TIMESTAMPTZ DEFAULT now(),
  ip_address INET,
  user_agent TEXT
);

6. Encryption

In transit: Both Supabase and Firebase enforce TLS for all API connections. Verify that your application does not downgrade to HTTP.
At rest: Supabase encrypts data at rest using AES-256. Firebase uses Google-managed encryption keys. For highly sensitive data, consider application-level encryption before storing.

7. Audit Logging

Enable and review audit logs for:

All authentication events (sign-ups, logins, password resets)
Data access by admin users or service accounts
Configuration changes (rule deployments, schema migrations)

Supabase provides auth.audit_log_entries and PostgreSQL audit extensions. Firebase provides Cloud Audit Logs in the Google Cloud Console.

8. Shared Responsibility Model

Understand what your BaaS provider handles and what remains your responsibility:

| Area | Provider Responsibility | Your Responsibility | |------|------------------------|---------------------| | Infrastructure security | Yes | No | | Database encryption at rest | Yes | No | | Access control rules (RLS/Security Rules) | No | Yes | | Application-level authorization | No | Yes | | Data subject rights (export/delete) | No | Yes | | Compliance certifications | Provider's own | Your application's |

Document this clearly for auditors and stakeholders.

BaaS Compliance Checklist

Quick Checklist