How do I fix a Supabase leak?
Short answer
Enable Row-Level Security on every affected table, add a default-deny policy as a base layer, add explicit allow policies scoped by auth.uid() + tenant, rotate your service-role key if it was ever exposed client-side, and verify with /signup. Total time: 20-45 minutes.
Immediate remediation steps:
- **Enable RLS everywhere missing** ```sql select 'alter table ' || quote_ident(schemaname) || '.' || quote_ident(tablename) || ' enable row level security;' from pg_tables where schemaname = 'public' and not rowsecurity; ``` Run each generated statement.
- **Add default-deny** ```sql create policy deny_all on public.<table> for all using (false) with check (false); ```
- **Add explicit allow policies** ```sql create policy users_read_own on public.orders for select using ( auth.uid() = user_id and tenant_id = (auth.jwt() ->> 'tenant')::uuid ); ```
- **Rotate service-role key if compromised**
- Supabase dashboard → Settings → API → Roll service_role secret
- Update every server-side environment
- **Verify** with /signup
- **Prevent regression** — install Securie on the GitHub repo Lovable/Bolt/Cursor is writing to. Future migrations get RLS-checked on every PR.
People also ask
Is my Supabase public?
Your Supabase is public by default on any table without Row-Level Security enabled. Anyone with your anon key (which shi…
What is Supabase RLS and do I need it?
Row-Level Security (RLS) restricts which database rows each user can read or write. You absolutely need it on every Supa…