DEV Community: Rakesh Das The latest articles on DEV Community by Rakesh Das (@rakesh_das). https://dev.to/rakesh_das https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1514190%2Ffd251cb3-ec76-43e8-8954-f240c8728163.jpg DEV Community: Rakesh Das https://dev.to/rakesh_das en How I hid my Supabase anon key from the browser using Hono on Cloudflare Workers Rakesh Das Wed, 10 Jun 2026 07:25:11 +0000 https://dev.to/rakesh_das/how-i-hid-my-supabase-anon-key-from-the-browser-using-hono-on-cloudflare-workers-4h84 https://dev.to/rakesh_das/how-i-hid-my-supabase-anon-key-from-the-browser-using-hono-on-cloudflare-workers-4h84 <p>Most Supabase tutorials end with your anon key sitting in <br> <code>.env.local</code>, shipped to the browser, visible to anyone <br> who opens DevTools.</p> <p>That was my setup too — until I decided to actually harden <br> the project before deploying.</p> <p>This is what I changed and why.</p> <h2> The problem </h2> <p>The Supabase anon key is "safe" only if your RLS policies <br> are airtight. That's a big "if." Most developers (myself <br> included) write RLS policies and test them through the app <br> — which only tests the happy path.</p> <p>The real test is hitting your database directly with the <br> anon key, no app involved.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://yourproject.supabase.co/rest/v1/members <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"apikey: YOUR_ANON_KEY"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer YOUR_ANON_KEY"</span> </code></pre> </div> <p>When I did this, I found gaps I didn't know existed.</p> <h2> What I found </h2> <p><strong>Gap 1 — UPDATE policies without WITH CHECK</strong></p> <p>A policy can have a USING clause (checks old values) but <br> no WITH CHECK clause (checks new values). This means a <br> member could update their own row and change their role <br> to admin. The policy allows the update because the old <br> row passes USING — it never checks what the new row <br> looks like.</p> <p>Fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"users can update own profile"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">users</span> <span class="k">FOR</span> <span class="k">UPDATE</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">id</span><span class="p">)</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">id</span> <span class="k">AND</span> <span class="k">role</span> <span class="o">=</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">role</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">users</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">())</span> <span class="p">);</span> </code></pre> </div> <p><strong>Gap 2 — Members table was publicly readable</strong></p> <p>I had a policy that let anyone read the members table. <br> That means names, bios, and join years were exposed to <br> unauthenticated requests. Dropped that policy. Members <br> can only read their own row.</p> <p><strong>Gap 3 — Admin policies referencing the wrong table</strong></p> <p>One of my admin policies used <code>auth.users</code> metadata to <br> check role instead of <code>public.users</code>. These are different <br> tables. The metadata check was unreliable. Fixed to always <br> read from <code>public.users</code>.</p> <h2> The solution — Hono proxy on Cloudflare Workers </h2> <p>After fixing the RLS gaps, I added a second layer: a Hono <br> app on Cloudflare Workers sitting between the React <br> frontend and Supabase.</p> react community developers