How to add Row Level Security to a Lovable app
Lovable provisions a Supabase database but often leaves tables readable by the public anon key. Until you enable and write row-level security policies, anyone can read your users' data.
Step by step
- 1
Find your tables in Supabase
Open the Supabase project Lovable created for you, go to Table Editor, and list every table that holds user or app data.
- 2
Enable RLS on each table
In Authentication → Policies (or the table's RLS toggle), enable Row Level Security on every table. With RLS on and no policy, the table is locked by default.
- 3
Write least-privilege policies
Add policies that only let a user touch their own rows, e.g. USING (auth.uid() = user_id) for select/update/delete. Avoid 'true' or 'allow all' policies.
- 4
Verify with the anon key
Re-run our free Supabase RLS checker with your anon key to confirm no table returns data without authentication.
Want it verified, not just fixed?
Fixing it is step one. A ClearedToShip review confirms the fix actually holds and gives you a signed, insured clearance to launch. Join early access: