Back to all articles
Security Guides

Supabase Security Best Practices: Gating RLS and Database Access

June 6, 202610 min read

Supabase has revolutionized how developers build databases and authentication layers. By providing a managed PostgreSQL instance with an instant REST API, it lets developers ship SaaS products in hours. But this ease of access comes with a major security trade-off: if you don't secure your database config, anyone can read, edit, or delete your entire database. Here is how to keep your Supabase project secure.

1. row-Level Security (RLS) is Mandatory

By default, when you create a table in Supabase, Row Level Security is disabled. This means that if anyone gets hold of your public 'anon' key (which is embedded in your client-side JavaScript bundle), they can send a request to your API and fetch every single row from that table.

Always enable RLS on every table. Simply enabling RLS is not enough, however; you must also write specific, secure policies for SELECT, INSERT, UPDATE, and DELETE operations. For example, to restrict read access to only the authenticated user who owns the record, use a policy like this:

create policy "Users can only read their own data" on public.profiles for select using (auth.uid() = user_id);

2. Understand Anon Keys vs. Service Role Keys

Supabase provides two types of API keys: the `anon` key and the `service_role` key. The anon key is designed to be public and respect RLS policies. The service_role key bypasses all RLS policies entirely.

⚠️ CRITICAL: Never expose your service_role key in client-side code, GitHub repositories, or client bundles. If an attacker gets your service_role key, they have complete root access to your entire database and can bypass every security rule you have written.

3. Secure Your Schema

Keep your database tables clean. Any custom functions, RPCs (Remote Procedure Calls), or webhooks should be strictly auditable. Limit database triggers to only trigger when absolutely necessary, and verify that they execute with restricted database permissions rather than full superuser rights.

How CodeSec Helps

CodeSec has a built-in Supabase security scanner. By simply providing your project URL, it automatically audits your tables for disabled RLS, scans for leaked credentials, checks policy configurations, and alerts you if any sensitive tables are publicly exposed. It helps you catch Supabase misconfigurations before your users' data does.