Fix guide · high · open_supabase_storage_bucket

Supabase Storage bucket marked Public

Why it matters

For an avatar bucket this is fine. For 'user uploads' containing private documents or PII, every file in it is reachable by anyone who can guess the path.

How to fix it

1. Identify the bucket in Dashboard → Storage. Toggle Public off if it shouldn't be.
2. Write Storage RLS policies scoping access to the file owner.
3. For files public on purpose, use unguessable filenames (UUIDs).

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.