Do I need RLS on every Supabase table?
Updated
Short answer
Yes. New Supabase tables default to RLS-OFF. Without explicit enable, the public anon_key reads every row. Lovable Apr 2026 BOLA breach affected 10.3% of apps because of this exact pattern.
Supabase ships anon_key in every client by design. Without RLS, anon_key reads every table. Default-deny RLS + explicit per-tenant policies on every table is non-negotiable.
See /templates/rls-policy-supabase for the canonical SQL bundle. Securie's Supabase RLS specialist scans every migration + flags missing RLS.