Supabase exposure scan
Find the Supabase paths your client can reach.
Paste your project URL. Mockly tests tables, storage, RPC, grants, and RLS coverage, then returns a report with SQL you can review.
read-only
scan posture
SQL
fix format
no storage
keys after run
Exposure receipt
supabase-project.co
profiles
/rest/v1/profiles
public read
notes
RLS disabled
policy bypass
avatars
bucket list
object names exposed
Fix draft
revoke select on public.profiles from anon;Verification
Direct client query should return no rows or permission denied.
Read-only by default
We scan. You decide what to apply.
Keys handled safely
Anon key is public. Service role is optional.
Actionable output
Clear exposure report + SQL fixes you can ship.
Coverage
Clear checks. Clear outputs.
Mockly focuses on what matters: exposures, policy gaps, and fixes you can apply confidently.
Public access
Tables reachable with public client credentials.
RLS enforcement
Where RLS must be enabled for policies to work.
Policy inspection
Detect overly-permissive rules (deep access when available).
Storage exposure
Buckets, object listing, and guessable filenames.
RPC exposure
Public functions that should require server-side access.
Sensitive signals
Risky column names that often hide secrets or PII.
Protection
Map the places Supabase can leak data.
Mockly checks public tables, weak grants, storage exposure, and RPC access, then shows what to change.
Public tables exposed.
RLS not enforced.
Policies that read everything.
Storage listing enabled.
Guessable file URLs.
Exposed RPC admin actions.
Explore protections
Pick one.
Select one to view.
FAQ