Row Level Security is the lock on every table in a Supabase app. AI builders routinely leave it off — because disabling it is the fastest way to make a demo work. Here’s the two-minute check, the real fix pattern, and what to do if you find a hole.
Supabase → Database → Tables. Any user-data table showing that label is an open door — no attacker skill required, just your public anon key.
A policy that allows every row to everyone isn’t a lock; it’s a doorstop painted to look like one. AI assistants generate these to silence permission errors.
If every account seems to see the same lists, the queries may be unfiltered — which works only because nothing is enforcing boundaries.
That key bypasses RLS entirely by design. In the browser bundle it turns every other fix into theatre — rotate it first.
Every Supabase frontend ships its URL and anon key in the browser — that's normal and fine. RLS policies are the mechanism that stops a stranger using that key to read every row. No policies, no protection.
When a query fails with a permissions error mid-prompt, the fastest fix the model knows is disabling RLS or writing USING (true). The error disappears. The hole stays.
Nothing looks wrong. The app works perfectly for every user — including the one reading other people's rows with a curl command.
Supabase logs API requests — look for table-wide reads from unfamiliar origins or volume spikes. Log retention on free plans is short, so check sooner rather than later; the triage includes this review.
It will produce plausible policies — but security is the one place plausible isn't enough. Policies must be derived from your product's rules and tested from a second account. This is worth a human.
Parts of it, usually — the app was written assuming open tables. The real fix is policies plus the queries that respect them, tested together. Budget a day or two, not an hour.
No — it's designed to be public. The problem is what the key can reach when no policies constrain it. Rotating the anon key without fixing RLS changes nothing.
Inside a rescue sprint it's part of the from-$2,499 fix. Standalone RLS-and-auth hardening on a small app is usually at the bottom of that range — the $299 triage quotes it exactly.
RLS review is the first item in every triage. In 48 hours you’ll know exactly what’s exposed and what it takes to lock it.
43+ happy clients · rated 4.9/5 · senior engineers on every build