Supabase RLS audit playbook

Updated

Per-table RLS review. Run quarterly + before any major release. Lovable Apr 2026 BOLA breach affected 10.3% of apps because of missing RLS — this is the structural fix.

For: Any team using Supabase in production

Per-table review

  • Open Supabase Studio → Authentication → Policiescritical
  • Confirm RLS toggle is ON for every tablecritical
  • Confirm at least one policy per table (default-deny baseline + explicit allows)critical
  • Confirm policies are tenant-scoped (auth.uid() AND tenant claim from JWT)critical

Per-policy review

  • Each policy uses canonical current_tenant_id() or auth.jwt() ->> 'tenant', not raw GUCcritical
  • Each policy covers all 4 verbs: select, insert, update, delete
  • Storage buckets have RLS policies on storage.objectscritical

anon_key audit

  • anon_key only used client-sidecritical
  • service_role key NEVER in client code
  • service_role key NEVER in NEXT_PUBLIC_ / VITE_ / PUBLIC_ env varcritical

Cross-tenant test

  • Create two test tenants with same user_id patterncritical
  • Sign in as user A in tenant 1; query each table; expect only tenant-1 rows
  • Sign in as user B in tenant 2 (same email); query each table; expect only tenant-2 rows
  • anon-key test: with no auth, query each table; expect zero rows (default-deny)

Securie integration

  • Securie's Supabase RLS specialist runs on every PRcritical
  • Securie's AuthAuthz/BOLA specialist sandbox-verifies cross-tenant reads
  • Quarterly Supabase Audit Log review (app.supabase.com → Reports → Audit Log)