How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Firebase Security Checklist

Firebase is designed for rapid development, but many projects ship with default or overly permissive configurations. This checklist covers the critical security controls every Firebase project should implement.

1. Firestore Security Rules

The most common Firebase vulnerability is an open Firestore database. Never use the following in production:

// DANGEROUS: allows any user to read/write everything
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

Instead, write granular rules per collection:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read: if request.auth != null && request.auth.uid == userId;
      allow write: if request.auth != null && request.auth.uid == userId;
    }
    match /posts/{postId} {
      allow read: if true;
      allow create: if request.auth != null
        && request.resource.data.authorId == request.auth.uid;
      allow update, delete: if request.auth != null
        && resource.data.authorId == request.auth.uid;
    }
  }
}

Use the Firestore Rules Playground in the Firebase Console to test rules before deploying. See the dedicated Firestore Security Rules Checklist for deeper guidance.

2. API Key Restrictions

Firebase API keys are designed to be public, but they should still be restricted:

In the Google Cloud Console, add HTTP referrer restrictions (for web apps) or Android/iOS app restrictions (for mobile apps) to each key.
Restrict the key to only the Firebase APIs your app actually uses (e.g., Firestore, Auth, Cloud Storage).
Rotate keys if they have been exposed in a context where restrictions were not in place.

Unrestricted API keys allow attackers to abuse your project's quota, create spam accounts, or enumerate data.

3. Firebase App Check

App Check verifies that incoming traffic originates from your legitimate app, not from scripts or spoofed clients. Enable it for Firestore, Realtime Database, Cloud Storage, and Cloud Functions:

import { initializeAppCheck, ReCaptchaV3Provider } from 'firebase/app-check';

const appCheck = initializeAppCheck(app, {
  provider: new ReCaptchaV3Provider('YOUR_RECAPTCHA_SITE_KEY'),
  isTokenAutoRefreshEnabled: true,
});

For mobile apps, use DeviceCheck (iOS) or Play Integrity (Android).

4. Firebase Auth Hardening

Enable email verification and block unverified users from accessing protected resources in your security rules: request.auth.token.email_verified == true.
Disable sign-in providers you are not using.
Set up multi-factor authentication (MFA) for admin accounts.
Configure account linking policies to prevent account takeover through OAuth provider confusion.

5. Realtime Database Rules

If you use Realtime Database alongside Firestore, audit those rules separately. The default rule ".read": true, ".write": true is one of the most commonly exploited Firebase misconfigurations. Ensure every path has explicit rules.

6. Cloud Storage Rules

Storage rules are separate from Firestore rules and must be explicitly configured:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /users/{userId}/{allPaths=**} {
      allow read, write: if request.auth != null
        && request.auth.uid == userId;
    }
  }
}

Validate file types and sizes in rules to prevent abuse (e.g., uploading large files to inflate storage costs).

7. Billing & Abuse Prevention

Set budget alerts in the Google Cloud Console to get notified before costs spiral.
Enable App Check to reduce unauthorized API calls.
Use Firebase Security Rules to restrict document creation rates (e.g., use getAfter() and timestamps to enforce rate limits).

8. IAM & Service Accounts

Follow the principle of least privilege for all IAM roles.
Audit service account keys regularly; prefer Workload Identity Federation over long-lived JSON keys.
Never commit service account JSON files to version control.

Use AuditYour.app to automatically scan your Firebase project for open rules, unrestricted API keys, and other common misconfigurations.

Firebase Security Checklist

Quick Checklist