Listen to this Post

🔗 Relevant URL: Disclosed Online
Harley Kimball’s experience highlights critical security pitfalls when using Supabase and PostgreSQL, especially around Row-Level Security (RLS) and authentication. Below, we break down the vulnerabilities, fixes, and best practices.
You Should Know: PostgreSQL & Supabase Security Hardening
1. Preventing Email Leaks with PostgreSQL Views
Issue: User emails were exposed in API responses.
Fix: Created a PostgreSQL view excluding sensitive fields.
CREATE VIEW public_profiles AS SELECT id, username, bio FROM profiles;
Mistake: The view bypassed RLS because PostgreSQL views default to SECURITY DEFINER (executes with owner’s permissions).
Solution: Use SECURITY INVOKER to enforce RLS:
CREATE VIEW public_profiles WITH (security_invoker = true) AS SELECT id, username, bio FROM profiles;
Verify RLS Policies:
SELECT FROM pg_policies WHERE tablename = 'profiles';
2. Securing Supabase Auth & RLS
Issue: Attackers could still sign up despite frontend restrictions.
Fix: Disable sign-ups in Supabase Auth settings:
Using Supabase CLI supabase auth settings update --disable-signup
Enforce RLS on Tables:
ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
Create Strict RLS Policies:
-- Only allow reads from authenticated users CREATE POLICY read_profiles ON profiles FOR SELECT USING (auth.role() = 'authenticated');
3. Blocking Unauthorized SQL Operations
Issue: Attackers could INSERT/UPDATE/DELETE despite RLS.
Fix: Explicitly deny mutations:
-- Deny all writes unless admin CREATE POLICY write_profiles ON profiles FOR INSERT WITH CHECK (auth.role() = 'service_role'); -- Admin only
Audit Database Permissions:
SELECT FROM information_schema.role_table_grants WHERE table_name = 'profiles';
4. Automating Security Checks
Check for Open Auth Endpoints:
curl -X POST 'https://<your-ref>.supabase.co/auth/v1/signup' \
-H "apikey: <anon-key>" -d '{"email":"[email protected]","password":"password"}'
→ If this works, signups are still enabled!
Scan for Exposed Supabase Keys:
grep -r "SUPABASE_KEY" /src/
What Undercode Say
- Never trust frontend restrictions—attackers bypass UI.
- Always enforce RLS + SECURITY INVOKER in PostgreSQL.
- Disable unused Supabase Auth endpoints to prevent abuse.
- Log and monitor database mutations for anomalies.
Expected Output:
A hardened Supabase/PostgreSQL setup with:
✅ RLS-enabled views (`security_invoker=true`)
✅ Disabled public sign-ups (supabase auth settings update --disable-signup)
✅ Strict SQL policies (deny-by-default)
✅ Automated security checks (curl, grep, pg_policies)
Prediction
As low-code tools (Supabase, Firebase) grow, misconfigurations will lead to 50% more data leaks in 2024. Developers must adopt infrastructure-as-code security checks.
🔗 Further Reading:
IT/Security Reporter URL:
Reported By: Harley Kimball – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


