Loading user profile...

confindev

1thread

13replies

Threads created

RLS misconfiguration audit tool

A user named confindev introduces a tool designed to audit Supabase applications for potential Row Level Security (RLS) misconfigurations using just the site URL. The tool aims to help users identify and fix RLS issues. Another user, J_Adam12, questions the liability of the tool in case of a security leak, to which confindev responds by assuring the tool's reliability and clarifying that no data is stored.

Security

Recent replies

Agree!

3/14/2026, 11:14:38 AMView on platform

In my case, yes 💯

3/14/2026, 11:14:21 AMView on platform

Indeed!

3/14/2026, 11:13:51 AMView on platform

Thanks for sharing that! I agree that using an id is more modular than hard-coded enums

3/13/2026, 5:20:33 PMView on platform

Thanks for mentioning that!

3/13/2026, 3:07:47 PMView on platform

I do. Kinda happy paths. I agree that a better coverage would catch it

3/13/2026, 3:07:29 PMView on platform

Haha, I don’t. Just moved a bit fast here, but I used to have a 360° view of my products

3/13/2026, 2:51:38 PMView on platform

The DX of the client looks good to me. Just sharing an experience here. If I wanted an error to be raised, I’d use this throwOnError: [https://github.com/supabase/supabase-js/blob/b835e3c870f3767980776cc25fd16df72fa416be/packages/core/storage-js/src/lib/common/BaseApiClient.ts#L87-L103](https://github.com/supabase/supabase-js/blob/b835e3c870f3767980776cc25fd16df72fa416be/packages/core/storage-js/src/lib/common/BaseApiClient.ts#L87-L103)

3/13/2026, 2:35:40 PMView on platform

Not reallY. The DX looks good to me. Just sharing the experience here

3/13/2026, 2:30:39 PMView on platform

In my DB, I had a constraint on a column called "subscription\_type" that only allowed specific values, 'starter' and 'pro'. I end up by switching to 'premium' instead of 'pro'. The issue was that the database constraint was still expecting 'pro', so inserts with 'premium' was silently failing I fixed it by writing a migration to update the constraint and then ran the migration on the database. Then I generated the Supabase types and initialized my client with createClient<Database>, so the linter can catch this kind of mismatch

3/13/2026, 2:30:07 PMView on platform

Yeah, that was indeed totally my fault. The way Supabase handles this is probably not very intuitive, but it provides a good developer experience and is fine with me. Else, i'd just wrap with an high order function

3/13/2026, 2:23:25 PMView on platform

Reply to: RLS misconfiguration audit tool

Yes, it is totally reliable. When an issue is found, the user is notified so they can fix it. After applying the fix, they can rescan. I do not store any data. Plus, since I only need the site URL, if my intentions were bad, I could simply scrape places like Reddit instead.

3/13/2026, 12:26:53 PMView on Reddit

Thanks a lot for testing! I try to reduce false positives by detecting the nature of the key (e.g. anon vs sensitive keys). In cases where it’s unclear, I end up by leaving the judgment to the user

3/12/2026, 11:32:23 PMView on platform