We found 3 critical and 4 high-severity vulnerabilities putting your users' data at direct risk. The most urgent — exposed API keys in your JavaScript — means any visitor can read your entire database right now. Fix this today.
Your Supabase service role key is embedded in your compiled JavaScript file. This file is publicly accessible — anyone who visits your app can find it by opening browser developer tools. With this key, an attacker can bypass all database security and read, write, or delete every record. No login required.
Even if you fix the API key issue, there's a second problem: your database tables have no access restrictions. Any logged-in user can query records belonging to other users. User A can see User B's orders, messages, and private documents just by modifying a request in their browser.
(auth.uid() = user_id) — ensures users only see their own rows.Your admin panel is "protected" by a check that happens entirely in the browser: if the user's role says "admin", show the admin area. Any user can open DevTools, change that value, and instantly gain admin access. The data is also being fetched regardless of the role check.
USING (auth.jwt() ->> 'role' = 'admin')Without a Content Security Policy, if an attacker ever finds any way to inject code into your pages, they can run any script they want — stealing session cookies, redirecting users to fake login pages, or silently logging everything users type. A CSP is a critical last line of defense.
default-src 'self'; script-src 'self';Your login and password reset pages accept unlimited requests with no slowdown. An attacker can try thousands of password combinations automatically, or abuse your password reset to flood users with emails.
| Additional High Findings | Severity | Effort to Fix |
|---|---|---|
| CORS policy allows all origins (*) — any website can make requests to your API | High | Low — 1 config change |
| HSTS header missing — users can be silently downgraded to HTTP | High | Low — 1 header to add |
This sample shows what a Human Review report looks like. Your real report is specific to your URL, your stack, and your actual vulnerabilities — not a fictional example.