I built a tool that analyzes what websites using Supabase expose to attackers.

I built a tool that analyzes what websites using Supabase expose to attackers.

Hi all,

We’ve been working on LeakScope for a while now and recently updated it quite a bit.

We didn't build LeakScope because we wanted another security scanner.

We built it because after manually reviewing Supabase applications, we kept running into the same problems: weak RLS policies, overly permissive access rules, exposed frontend configuration, and data that developers didn't realize was publicly accessible.

LeakScope is an automated security scanner designed specifically for developers and indie hackers building applications with Supabase. It helps identify critical backend vulnerabilities—such as weak Row-Level Security (RLS) policies, exposed database tables, and API keys hidden in frontend code—simply by pasting your website's URL.

We recently expanded it with two scanning modes:

  • Light Scan — Fast public reconnaissance with no account required.
  • Deep Scan — Authenticated testing with broader coverage, including RLS validation, BOLA/IDOR checks, JWT analysis, and detailed security reports.

So far, LeakScope has:

  • Scanned 1,982 websites
  • Identified 13,834 security findings

We're still actively improving it, and we'd genuinely love feedback from everyone.

If you're building with Supabase, what would you want a tool like this to detect or do?

Whether that's generating RLS policies, exporting pgTAP tests, CI/CD integration, monitoring production changes, or something else. We'd love to hear your thoughts.

Drop your site, we'll run free scans for you or you can do it yourself at leakscope.tech it's free :)

u/StylePristine4057 — 15 hours ago

I built a tool that analyzes what websites using Supabase expose to attackers.

Hi all,

We’ve been working on LeakScope for a while now and recently updated it quite a bit.

We didn't build LeakScope because we wanted another security scanner.

We built it because after manually reviewing Supabase applications, we kept running into the same problems: weak RLS policies, overly permissive access rules, exposed frontend configuration, and data that developers didn't realize was publicly accessible.

LeakScope is an automated security scanner designed specifically for developers and indie hackers building applications with Supabase. It helps identify critical backend vulnerabilities—such as weak Row-Level Security (RLS) policies, exposed database tables, and API keys hidden in frontend code—simply by pasting your website's URL.

We recently expanded it with two scanning modes:

  • Light Scan — Fast public reconnaissance with no account required.
  • Deep Scan — Authenticated testing with broader coverage, including RLS validation, BOLA/IDOR checks, JWT analysis, and detailed security reports.

So far, LeakScope has:

  • Scanned 1,982 websites
  • Identified 13,834 security findings

We're still actively improving it, and we'd genuinely love feedback from developers.

The scanner itself was built using Gemini 3.1 (high & low reasoning modes) and Claude Sonnet to help design and iterate on the detection logic along side Codex, we're planning to use gemini API for the remediation guide that's going to be generated too.

If you're building with Supabase, what would you want a tool like this to detect or do?

Whether that's generating RLS policies, exporting pgTAP tests, CI/CD integration, monitoring production changes, or something else. We'd love to hear your thoughts.

u/StylePristine4057 — 15 hours ago

Your site built with Supabase backend could be compromised because of a misconfigured RLS Policy.

When you're shipping fast, security reviews are usually the first thing to slip.

Most Supabase apps don't get compromised because of sophisticated exploits—they expose data through weak RLS policies, overly permissive access, leaked frontend configuration, or credentials that were never meant to be public.

That's why we built LeakScope.

Paste in a public app URL and LeakScope checks what an attacker can learn from the outside.

We've also introduced Light Scan for quick public reconnaissance and Deep Scan for broader authenticated testing, including RLS validation, BOLA/IDOR checks, JWT analysis, and detailed reports.

So far, LeakScope has scanned 1,936 websites and identified 13,679 security findings.

The scanner itself was built using Gemini 3.1 (high & low reasoning modes) and Claude Sonnet to help design and iterate on the detection logic along side Codex.

Scan your site at leakscope[.]tech

u/StylePristine4057 — 1 day ago

Your Supabase app may be leaking more than you think.

🚨 Your Supabase app may be leaking more than you think.

A public app URL can reveal far more than expected—exposed keys, weak RLS policies, public data access, insecure auth patterns, and other security risks.

Meet LeakScope. 🔍

Simply paste your app's URL and let LeakScope uncover what attackers could see from the outside.

✅ No account required for a fast Light Scan
🔐 Unlock Deep Scan for authenticated testing, including:
• Full Row Level Security (RLS) validation
• BOLA / IDOR testing
• JWT security checks
• Evidence-based reports with remediation guidance

Whether you're a solo developer, startup founder, or security team, LeakScope helps you identify vulnerabilities before they become incidents.

⚡ Scan in minutes. Fix with confidence.

Check our leakscope[.]tech

#Supabase #CyberSecurity #AppSec #WebSecurity #Developers #SaaS #SecurityTesting #BugBounty #DevTools #Startup

u/StylePristine4057 — 1 day ago
▲ 14 r/AntigravityGoogle+9 crossposts

Introducing LeakScope: A Security Scanner for Supabase Applications

Introducing LeakScope, again.

we've been updating it : )

LeakScope is a security scanner built for Supabase applications. Paste your app's public URL, and it checks what an attacker can learn from the outside—from exposed keys and public data access to weak RLS, leaked credentials, and insecure frontend configuration.

We've introduced two scanning modes:

Light Scan — Paste a public app URL to instantly check for exposed keys, public data exposure, leaked credentials, weak RLS, and risky frontend configuration. No account required.

Deep Scan — Authenticate to validate Row Level Security, test BOLA/IDOR, analyze JWT security, and generate detailed reports for real security validation.

Whether you're a solo founder, indie hacker, or vibe coder shipping MVPs at 2 AM, LeakScope gives you a fast way to see what your app is exposing before everyone else does.

1,936 websites scanned.
13,679 security findings identified.

Try it out at leakscope[.]tech

u/StylePristine4057 — 11 hours ago
▲ 2 r/ARAM

4K+ AP Galio = Immortal

you just don't die anymore.. phenomenal evil is crazy good, ggs everyone in this match LOL.

u/StylePristine4057 — 1 month ago