Preflight
Supabase safety check
Scan ToolExample ReportRoadmap
Read-onlyNo row bodiesNo service-role key
Pre-launch safety check for Supabase apps

See what anonymous visitors can already read before you ship.

Preflight checks whether anonymous visitors can read existing rows from your Supabase tables. Paste a deployed app URL to find your public Supabase config, or enter your Supabase project URL and anon key manually.

HEAD requests only Public anon key only Checked tables, not whole app
View example report  →

App URL discovery

Find Supabase config from public frontend files only.

No service-role keys or raw frontend files are stored. Public anon keys are used only to prepare the scan and are not persisted.

Configure check

Enter credentials or use auto-discovery on the left.

What Preflight checks

Preflight helps builders using Supabase, Next.js, Lovable, Bolt, v0, Cursor, or Claude catch obvious public exposure before launch. It can inspect public frontend files for Supabase config, then use the public anon key to test selected tables for anonymous-readable rows.

Finds public Supabase config in frontend files
Checks selected tables for anonymous-readable rows
Uses HEAD requests only
Does not fetch row bodies
Does not ask for service-role keys
Does not claim your whole app is secure

FAQ

Is the Supabase anon key safe to use?

Supabase anon keys are designed to be public, but they still enforce your Row Level Security policies. Preflight uses the anon key to check what anonymous visitors can already access.

Does Preflight need my service-role key?

No. Never paste your service-role key into Preflight. Preflight only uses the public anon key.

Does Preflight read my database rows?

No. Table checks use HEAD requests and Content-Range headers. Preflight checks whether rows are readable without downloading row bodies.

Does Grade A mean my app is secure?

No. Grade A means Preflight did not find anonymous-readable rows in the checked tables. It does not prove your whole Supabase project is secure.

Why do I need to enter table names?

Some Supabase projects block anon access to API discovery. Manual table entry lets Preflight safely check only the tables you choose.

Can Preflight find my Supabase config from my deployed app URL?

Yes. App URL discovery inspects public frontend files only, shows safe previews, and requires confirmation before using discovered config.