Supabase & Firebase Audit

62% of AI-generated code
contains vulnerabilities.

Lovable, Bolt, Cursor, v0: these tools generate functional code but not secure code. Missing RLS policies, permissive Firestore rules, and public buckets are the #1 flaws in "vibe-coded" apps. We find them in hours.

What we audit

RLS policies (Supabase)

Verification of every table: SELECT, INSERT, UPDATE, DELETE. AI-generated apps systematically miss read and delete policies.

Firestore rules (Firebase)

Analysis of Firestore security rules: cross-user access, unprotected collections, overly permissive sub-collection rules.

Storage buckets

Are Supabase Storage and Firebase Storage buckets public? We verify access policies on every bucket containing user files.

RPC & Edge Functions

Are exposed server functions authenticated? Verification of Supabase RPCs and Firebase Cloud Functions without access control.

Authentication bypass

Auto-confirm enabled, disable_signup bypassed, missing email verification: auth configuration errors that allow unauthorized access.

Exposed API keys

Supabase anon keys with excessive permissions, Firebase keys in source code, service keys in frontend JavaScript.

Ideal for

  • Applications built with Lovable, Bolt, Cursor, or v0
  • Startups that launched their MVP on Supabase or Firebase without a security audit
  • Non-technical teams that used no-code/low-code tools
  • SaaS in pre-launch looking to secure before first customers
  • Applications handling sensitive user data (health, finance, education)

FAQ

Need an external review of your HR SaaS?

Share your product, stack, and client context. We will come back with the right review scope.

Discuss your audit