CRITICAL

Supabase Row Level Security (RLS) Misconfiguration

What is it?

Supabase ships new tables with RLS OFF by default. The public anon key (shipped in every JS bundle) becomes a full SELECT credential.

How to fix

ALTER TABLE  ENABLE ROW LEVEL SECURITY;
CREATE POLICY "auth_only" ON 
 FOR SELECT USING (auth.uid() IS NOT NULL);Scan for this vulnerability
Security Scanner automatically checks for this issue as part of its 70+ module scan. Try it free — no signup needed for the quick scan.
Check your app now →Related reading

Top 5 Supabase RLS mistakes
Beyond Supabase RLS: 5 other critical vulnerabilities
Q2 2026 State of Vibe-Coded Security