What is RLS (Row-Level Security)?
A PostgreSQL feature (used heavily by Supabase) that restricts which rows a database user can read or write via policies attached to tables.
Full explanation
Row-Level Security adds a policy layer inside PostgreSQL. Each table can have policies that evaluate for every SELECT, INSERT, UPDATE, and DELETE. Supabase builds its auth model on RLS — the anon key runs as the 'anon' Postgres role and is constrained by RLS policies. If RLS is disabled on a table, or policies are misconfigured, any client with the anon key can access data they should not.
Example
`create policy users_read_own on orders for select using (auth.uid() = user_id);` — this policy allows users to read only their own orders.
Related
FAQ
Is RLS enough?
RLS is a strong primary defense but should be paired with API-layer authorization for defense in depth.