What is Supabase RLS and do I need it?

Short answer

Row-Level Security (RLS) restricts which database rows each user can read or write. You absolutely need it on every Supabase table that holds user data. Without RLS, the anon key that ships in your app can read every row in that table.

RLS is a Postgres feature that Supabase leans on heavily. When enabled on a table, every query (including queries using your public anon key) is filtered through policies you define.

Without RLS: ```sql -- Any user can read every order select * from orders; ```

With RLS + policy: ```sql alter table orders enable row level security; create policy users_read_own on orders for select using (auth.uid() = user_id); -- Users only see their own orders now ```

Do you need it? Yes, always, on every table except explicitly-public reference tables. The anon key is designed to be public — it ships in your client JavaScript. RLS is the only thing between the anon key and your user data.

Checklist: 1. `alter table <t> enable row level security` on every table 2. Default-deny policy: `using (false)` as a base layer 3. Explicit allow policies scoped by `auth.uid()` + tenant 4. Test with /signup before shipping

People also ask

Is my Supabase public?
Your Supabase is public by default on any table without Row-Level Security enabled. Anyone with your anon key (which shi
Will my Lovable app get hacked?
If you shipped a Lovable app without running a security scan, you have roughly a 16% chance of shipping with an exposed