How to Secure Supabase and PostgreSQL from Common Misconfigurations

Listen to this Post

Featured Image
🔗 Relevant URL: Disclosed Online

Harley Kimball’s experience highlights critical security pitfalls when using Supabase and PostgreSQL, especially around Row-Level Security (RLS) and authentication. Below, we break down the vulnerabilities, fixes, and best practices.

You Should Know: PostgreSQL & Supabase Security Hardening

1. Preventing Email Leaks with PostgreSQL Views

Issue: User emails were exposed in API responses.

Fix: Created a PostgreSQL view excluding sensitive fields.

CREATE VIEW public_profiles AS 
SELECT id, username, bio FROM profiles;

Mistake: The view bypassed RLS because PostgreSQL views default to SECURITY DEFINER (executes with owner’s permissions).

Solution: Use SECURITY INVOKER to enforce RLS:

CREATE VIEW public_profiles WITH (security_invoker = true) AS 
SELECT id, username, bio FROM profiles;

Verify RLS Policies:

SELECT  FROM pg_policies WHERE tablename = 'profiles';

2. Securing Supabase Auth & RLS

Issue: Attackers could still sign up despite frontend restrictions.

Fix: Disable sign-ups in Supabase Auth settings:

 Using Supabase CLI 
supabase auth settings update --disable-signup

Enforce RLS on Tables:

ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;

Create Strict RLS Policies:

-- Only allow reads from authenticated users 
CREATE POLICY read_profiles ON profiles FOR SELECT 
USING (auth.role() = 'authenticated');

3. Blocking Unauthorized SQL Operations

Issue: Attackers could INSERT/UPDATE/DELETE despite RLS.

Fix: Explicitly deny mutations:

-- Deny all writes unless admin 
CREATE POLICY write_profiles ON profiles FOR INSERT 
WITH CHECK (auth.role() = 'service_role'); -- Admin only 

Audit Database Permissions:

SELECT  FROM information_schema.role_table_grants 
WHERE table_name = 'profiles';

4. Automating Security Checks

Check for Open Auth Endpoints:

curl -X POST 'https://<your-ref>.supabase.co/auth/v1/signup' \
-H "apikey: <anon-key>" -d '{"email":"[email protected]","password":"password"}'

→ If this works, signups are still enabled!

Scan for Exposed Supabase Keys:

grep -r "SUPABASE_KEY" /src/

What Undercode Say

  • Never trust frontend restrictions—attackers bypass UI.
  • Always enforce RLS + SECURITY INVOKER in PostgreSQL.
  • Disable unused Supabase Auth endpoints to prevent abuse.
  • Log and monitor database mutations for anomalies.

Expected Output:

A hardened Supabase/PostgreSQL setup with:

✅ RLS-enabled views (`security_invoker=true`)

✅ Disabled public sign-ups (supabase auth settings update --disable-signup)

✅ Strict SQL policies (deny-by-default)

✅ Automated security checks (curl, grep, pg_policies)

Prediction

As low-code tools (Supabase, Firebase) grow, misconfigurations will lead to 50% more data leaks in 2024. Developers must adopt infrastructure-as-code security checks.

🔗 Further Reading:

IT/Security Reporter URL:

Reported By: Harley Kimball – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram