10 free security scanners for the most popular BaaS platforms (2026 edition)

10 free security scanners for the most popular BaaS platforms (2026 edition)

If you're shipping on Supabase, Firebase, Strapi, Directus, Payload CMS, Convex, Hasura, PocketBase, Appwrite, or Nhost — you've already trusted your platform to keep customer data private. The fine print is that the platform only enforces the access controls you configured. Forget one row-level rule, one role permission, one access function — and the platform happily serves your users' data to anyone with your public URL.

Across 100+ projects I've audited in the last 12 months:

• 22% of Supabase projects leak data anonymously through forgotten RLS policies
• 23% of Firebase projects have firestore.rules with if true or request.auth != null without ownership check
• Strapi templates ship with Public-role find enabled on users-permissions/users — exposes every signed-up user
• Directus with default Public-role read on directus_users leaks hashed passwords + tokens
• WordPress (not BaaS but worth mentioning) exposes /wp-json/wp/v2/users to anonymous callers by default

The fix in every case takes 5-30 minutes once you know what's exposed. The hard part is finding out.

Below are 10 free scanners — one per platform — that probe your project for the most common anonymous-readable patterns and return a verbatim curl an attacker would run + the exact code/admin steps to fix each finding. All run on the Apify free tier (no credit card needed).

1. Supabase RLS Scanner

Probes ~47 common table names via Prefer: count=exact + Range: 0-0 — confirms which tables are anon-readable without ever pulling row data. Returns severity-coded findings (CRITICAL for users, orders, sessions; HIGH for posts, messages). Includes a demo mode (click Run with no input) that scans a real sacrificial Supabase project I maintain so you can see what the report looks like before pasting your own URL + anon key.

2. Firebase Security Auditor

Two-mode probe: provide either projectId (sends anonymous GET to your Firestore REST endpoint to confirm live leaks) or rulesContent (paste your firestore.rules for static analysis catching the 7 most common bad patterns: bare if true, if request.auth != null without ownership, test-mode timestamps, etc.).

3. Strapi Security Scanner

Tries /api/{collection}?pagination[limit]=1 (Strapi v4+) and /{collection}?_limit=1 (Strapi v3) per content-type. Default Strapi templates ship with Public-role find enabled on users-permissions/users — first thing it catches.

4. Directus Security Scanner

Sends /items/{collection}?limit=1&meta=total_count per collection. The two killer findings: directus_users (hashed passwords + tokens) and directus_files (file metadata + signed download URLs).

5. Payload CMS Security Scanner

Tries /api/{collection}?limit=1 per slug. Default templates use access: { read: () => true } on most collections — fine for blog posts, fatal for users/orders/media. Report ships with the exact access.read function rewrite per leaky collection.

6. Convex Security Scanner

POSTs {path: "users:list", args: {}} to your deployment's /api/query endpoint for ~30 common function paths. Convex queries are public by default unless you explicitly call getAuthUserId(ctx) inside the handler.

7. Hasura Security Scanner

GraphQL _aggregate { count } + sample queries against your Hasura endpoint (self-hosted, Hasura Cloud, or any framework on top). The anon role typically inherits SELECT permissions from copy-pasted tutorial examples.

8. PocketBase Security Scanner

GET /api/collections/{name}/records?perPage=1 per collection. PocketBase's API rules look strict on paper, but @request.auth.id != "" only requires "any signed-up user" — which in practice means anyone after a self-serve signup.

9. Appwrite Security Auditor

Sends /v1/databases/{db}/collections/{c}/documents?queries[]=limit(1) with X-Appwrite-Project: <id> header. The any role on read or list exposes every document.

10. Nhost Security Scanner

GraphQL probe against your Nhost project's Hasura endpoint. Specifically targets the anon role permissions Nhost provisions by default — looks for SELECT permissions inherited from Hasura's permissions-tutorial-fixture starter.

How to use the demo modes

Every scanner above ships with a demo mode — click Run with no input, and you'll get back a sample HTML report (Supabase scanner runs a real scan against a sacrificial project I maintain with intentional leaks). Use this to see what a real report looks like before deciding whether to paste your own credentials.

What if you find leaks?

Three options, in order of effort:

1. Free: Each scanner's HTML report includes paste-ready fix snippets. Drop them into your config/migrations and re-run the scanner.
2. $29 — I run the scan + write a 1-page summary report + send it to you in 24 hours. For when you want a sanity check without committing further. Stripe.
3. $99 — I do the fix myself + verify with re-scan, 48-hour turnaround, money-back if I miss anything actionable. Stripe.

There's also a $29/mo continuous monitoring SaaS for the cases where you ship often and want fresh scans every week: rls-monitor.vercel.app.

Why this exists

I'm a solo developer in Lima. I built the @perufitlife/supabase-security CLI in March, then ran it against ~30 random public Supabase projects pulled from GitHub. 22% were leaking user data anonymously. After publishing the npm package, I realized the same RLS-forgetting pattern applies to every BaaS. So I shipped a scanner for each one.

All 10 scanners use the same probe template, scoped per platform's API. The Apify Store layer exists because most developers won't npx something against their production project — but they will click Run on a public Apify actor that runs in someone else's environment.

How to support

If you find any of these useful, the single highest-leverage thing you can do is leave a 30-second review on the Apify Store page. Reviews are the only signal Apify's store ranking algorithm cares about for solo publishers.

Or share this post with someone shipping on a BaaS. Most leaks I find come from teams that never thought to check.

---

Renzo, solo dev in Lima. Open-source: @perufitlife/supabase-security. 10 Apify scanners. Threads also on dev.to/perufitlife.