Security scan: catch and fix data & backend risks in one click

​

What a security scan checks for

Public data access (RLS issues)

Some data should only be seen by the right people. Security Scan checks each of your data entities (like Tasks or Comments) to make sure users don’t have more access than they should.If your app allows everyone to view or edit certain data, the scan will show:❗ All users have full access
⚠️ RLS Recommendation – Apply FixesClick Apply Fixes to use our recommended security rules. For example:

• Only the record creator can view or edit it
• Access is limited to specific users based on their email, role, or department
• Only admins can make changes

Clicking Apply Fixes updates your entity’s security settings based on our safe, recommended defaults. You can always review or change them later.

Want to learn more about how access rules work? See the full guide on managing security settings

Exposed secrets

Security scan also looks for things like:

• API keys
• Tokens
• Sensitive credentials

If it finds any of these in your frontend code, it will let you know so you can remove or move them to a secure place.

What is a secret? Secrets are private codes/ digital keys that help your app connect to other services. If someone gets access to a secret, they might be able to misuse your app or access data they shouldn’t.

How do I fix an exposed secret?Fixing an exposed secret like an API key would require touching the code, because:

• You need to remove the key from your frontend code (which is written manually),
• And move the logic to a secure place, usually a backend function that you’ll either create or update.

You can paste the error and the code into Discuss mode to get step-by-step instructions from the AI. The AI can help write the code for the backend function and modify your frontend to call it.

Backend function issues

Backend functions are parts of your app that run behind the scenes such as handling payments or saving data. These should only be triggered in safe, controlled ways.Security Scan checks if any of your backend functions are:

• Open to anyone (when they shouldn’t be), or
• Set up in a way that doesn’t actually work

What is a check? Think of it like a security guard at a door. Before letting someone in, the guard makes sure they’re allowed, like checking a name on a guest list. In your app, a check does the same thing: it decides whether a request is safe and allowed before letting it through.

About unauthenticated backend functions
Security Scan flags backend functions that accept sensitive data (like emails, API keys, or IDs) without checking who the user is.For example, a function that returns subscription details based only on an email in the request could accidentally expose another user’s info if someone changes the email in the request.If a function is flagged, it usually means it’s trusting request data without verifying that the user is logged in or has permission to access it.To fix this, you’ll want to add a quick check in the function to confirm:

• The user is signed in
• The request is for their own data

You can paste the error message and your function code into **Discuss mode **to get step-by-step instructions from the AI. The AI can walk you through how to add a quick check to verify the user is signed in, and make sure the request is for their own data.

​

How to use security scan 

1. Go to your Dashboard
2. Click the Security tab
3. Under Scan Issues click Start Security Check
4. Review any issues and click Apply Fixes

​

Why it matters

• Prevent accidentally exposing private data
• Catch misconfigurations (like broken Stripe webhooks)
• Ship your app with more confidence knowing you’ve checked the essentials.

​

FAQ