IndustriesWorkPlaybookHow it worksAboutBook a systems auditBring us your idea

How do I secure the database behind my app?

Straight answer

You secure a database by turning on access rules so it is not open by default, enforcing that each user can only reach their own records, keeping its credentials server-side, and restricting who can connect. Most AI-built apps leave the database permissive, so the job is switching protection on and confirming a stranger cannot read it.

Information current as at 5 July 2026

The database is where your app's memory lives: users, orders, messages, everything. It is also the thing AI builders most often leave unlocked, because restrictive rules slow down a demo. An open database is a leak waiting to happen, but closing it is a defined job you can work through. Here are the steps, in order of importance, to make yours safe.

Plain English
Access rules
Settings that decide who can read or change data, instead of leaving it open to all.
Row-level security
Rules that limit each user to only the specific records that belong to them.
Credentials
The keys and passwords your app uses to connect to the database, which must stay secret.
Least privilege
Giving each part of the system only the access it genuinely needs, and no more.

Step by step

  1. Find out whether it is open right nowStart by learning the true state of your database. Log in to your database service, often something like Supabase, and look at the access or security settings for each table. The question is whether access rules are switched on and written, or whether the table is effectively readable and writable by default. Many AI-built apps leave tables permissive. If you cannot clearly see a rule protecting a table, assume it is open, because an unprotected table is the single most dangerous state and the one to fix first.
  2. Turn on access rules so nothing is open by defaultSwitch on the access control mechanism your database offers, so that access is denied unless a rule explicitly allows it. In services like Supabase this is enabling row-level security on each table. The principle is that the default answer to "can this request read this data" should be no, with access granted only where you have deliberately written a rule. This one change converts a database that leaks by default into one that protects by default, which is the foundation everything else builds on.
  3. Write rules so each user reaches only their own dataWith access denied by default, add rules that grant exactly the access each user should have and no more. The most important pattern is that a logged-in user can read and change their own records, and only their own: their orders, their profile, their messages. This is what stops the common leak where changing a number in the address reveals someone else's data. Write the rules per table, test them by logging in as one user and confirming you cannot reach another user's records, and keep them as tight as the app allows.
  4. Keep the database credentials secret and server-sideYour database is reached using credentials, keys and passwords, and these must never appear in the frontend where the browser can read them. Confirm no database credential is visible in your page source or network requests. Sensitive database access should happen through your server, which holds the secret key, rather than directly from the visitor's browser. If a database credential was ever exposed, rotate it now so the old one stops working, and store the new one as a server-side environment variable.
  5. Restrict connections and keep a backupFinish by narrowing who and what can connect at all, following least privilege: if the service lets you limit connections to your app or specific addresses, do so, so a stray credential is less useful to a stranger. Turn off any public or demo access you no longer need. Then confirm you have a working backup of the data, because security is also about recovering from mistakes, not only preventing intrusions. A locked-down database you can restore from is a genuinely safe one.
No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Common questions

Questions, answered

How do I know if my database is open?
Log in to your database service and check whether access rules, such as row-level security, are switched on for each table, or whether the tables are permissive by default. If you cannot see a rule actively protecting a table, assume it is open. An unprotected table is the highest-priority thing to fix, before any other security work.
What is row-level security, in plain terms?
It is a way of writing rules so each user can only reach the specific records that belong to them, rather than all records in a table. It is what stops one customer viewing another's data by changing an identifier in the address. Turning it on and writing sensible rules is the core of securing a database.
The app still works after I lock it down. Did I do it right?
That is the goal: a well-secured database is invisible to legitimate use and only blocks what should be blocked. To confirm, log in as one user and try to reach another user's data; you should be denied. If ordinary use works but cross-user access is refused, your rules are doing their job. Test the denials, not just the app.
Do I need to secure the database if the app has a login?
Yes, absolutely. A login in the browser can be bypassed by talking to the database directly, so the login alone protects nothing at the data layer. The database needs its own access rules enforced on the server. Login plus real database rules is the safe combination; login without them is a curtain, not a wall.
No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Start here

Two doors. Same senior team.

Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.