TIC Association
Supabase security

Find the RLS holes before your users do.

The most common way an AI-built app leaks data is not a crash. It is quiet: row level security switched on while the policies do nothing, or switched off on a table nobody remembered. This one SQL file finds those holes in about a minute.

Free. Read-only. No install, no account access, no keys shared.

what you run

One SQL file. You paste it and run it. It reads, it never writes.

You open your Supabase SQL editor, paste the file, and run it. It reads your database's own catalog and hands back a prioritized list of the security holes that matter, each with a plain-language explanation and a copy-paste fix. It never reads your rows, changes a setting, or phones home. Read the code and see for yourself.

severity | object | finding CRITICAL | public.profiles | RLS is OFF, table is world-readable and writable CRITICAL | public.messages | anon role holds a direct write grant HIGH | public.orders | RLS on, zero policies (silently blocks or exposes) HIGH | public.invoices | write policy missing WITH CHECK (write-as-anyone) OK | public.audit_log | RLS on, policies scoped to auth.uid()
what it checks

The five holes that leak real data.

Critical

RLS switched off

The number one leak. A table anyone can read or write, usually because it was created after row security was set up and never got locked down.

High

RLS on, zero policies

Row security is on but no policy exists, so the table silently blocks everything or exposes everything depending on the grant. This is the usual cause of the 42501 error.

High

Write policy with no WITH CHECK

A policy that checks who can write but not what they write, which lets a user insert or update rows as if they were someone else.

High

Policies open to everyone

A policy that looks secure but resolves to true for all, so it protects nothing while appearing to.

Critical

anon holds a direct grant

The anonymous role granted write access straight on a table, bypassing your policies entirely.

why this format

Safe by design, so you never have to trust us with anything.

No install

It is plain SQL. There is nothing to run on your machine and nothing to add to your project.

No account access

You never share your database password, your service key, or your project. You run it yourself, inside your own dashboard.

Read-only

It reads system catalogs only. It does not read your rows, write anything, or change a setting.

Works everywhere

Any Supabase project, nothing to configure. It ships with fix recipes and a Claude Code skill that writes the fixes for your exact tables.

start here

Run your preflight.

Download the auditor, paste it into your Supabase SQL editor, and read your findings. It catches the common, repeated failure patterns fast. It is not a full penetration test, so a high-stakes app still deserves a real review. Use it as your pre-launch preflight.

Download the free auditor

The free download is the read-only auditor SQL plus a plain-language README.

Want the fixes handed to you? The full security pack adds copy-paste fix recipes for every finding class and a Claude Code skill that writes the fixes for your exact tables.

if it finds something you cannot fix

We fix broken AI-built apps for a living. RLS is what we fix most.

If the auditor flags a hole and you would rather someone just fix it, that is our work. Send us the error and we diagnose it free. You pay only after the fix is verified working, and you own the clean code.

Get a free diagnosis

questions

Straight answers.

Is it safe to run on my production database?
Yes. It reads system catalogs only. It does not touch your data, change any setting, or send anything anywhere. You can read the whole file before you run it.
Do I have to share my keys or give access?
No. You paste and run it yourself inside your own Supabase SQL editor. You never share a password, a service key, or your project with anyone.
What if it finds a problem I do not know how to fix?
Each finding ships with a copy-paste fix recipe. If you would rather have it done for you, we fix broken AI-built apps at rescue.ticassociation.com, free diagnosis, pay only after it works.
Is this a full security audit?
No. It catches the common, high-frequency RLS mistakes that leak data in AI-built apps. Treat it as a fast preflight, not a replacement for a full review on a high-stakes app.

Close the holes before someone finds them.

Download the free auditor
© 2026 TIC Association Privacy · Terms hello@ticassociation.com