critical

How to enable Row Level Security on Supabase

The problem

A Supabase table without RLS is fully readable by anyone holding your anon key — which ships in your frontend. Enabling RLS correctly is the single most important step to securing a Supabase app.

Step by step

1
Turn on RLS for every data table
In the Supabase dashboard, enable Row Level Security on each table. Once enabled with no policy, access is denied by default — exactly what you want.
2
Add a SELECT policy scoped to the user
Create a policy like CREATE POLICY "own rows" ON your_table FOR SELECT USING (auth.uid() = user_id);
3
Repeat for INSERT / UPDATE / DELETE
Each operation needs its own policy. Use WITH CHECK on writes to stop users from writing rows they shouldn't own.
4
Test both authenticated and anonymous access
Confirm an anonymous request returns nothing and an authenticated user sees only their own rows.

Want it verified, not just fixed?

Fixing it is step one. A ClearedToShip review confirms the fix actually holds and gives you a signed, insured clearance to launch. Join early access:

How to enable Row Level Security on Supabase

Step by step

Turn on RLS for every data table

Add a SELECT policy scoped to the user

Repeat for INSERT / UPDATE / DELETE

Test both authenticated and anonymous access

Want it verified, not just fixed?