What is RLS?

Row Level Security (RLS) is a PostgreSQL feature that restricts which rows a user can access. In Supabase, it's the primary way to protect your data from unauthorized access.

Why is it critical?

Without RLS, anyone with your Supabase URL and anon key (both visible in frontend code) can read and write every row in every table. This is the #1 security vulnerability in Supabase apps.

Step-by-step setup

1. Enable RLS

-- Enable RLS on all tables
ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY;
ALTER TABLE public.profiles FORCE ROW LEVEL SECURITY;

2. Create policies

-- Users can read their own profile
CREATE POLICY "Users read own profile"
  ON public.profiles FOR SELECT
  USING (auth.uid() = id);

-- Users can update their own profile
CREATE POLICY "Users update own profile"
  ON public.profiles FOR UPDATE
  USING (auth.uid() = id);

-- Only authenticated users can insert
CREATE POLICY "Auth users can insert"
  ON public.profiles FOR INSERT
  WITH CHECK (auth.uid() = id);

3. Common policy patterns

User owns row: auth.uid() = user_id
Public read, private write: SELECT for all, INSERT/UPDATE/DELETE for authenticated
Organization-based: Join through a membership table
Admin override: Check a role column on the users table

4. Test your policies

The easiest way is to scan with Aphido — it tests every table for RLS vulnerabilities automatically.

Supabase RLS Guide