Supabase Missing RLS

CREATE TABLE in migrations without enabling RLS

criticalSecuritysupabase-missing-rls

Why this matters

Supabase tables without Row Level Security are publicly accessible to any authenticated user (or anon, if allowed). Every table needs RLS policies to restrict access.

✗ Bad

-- migration.sql
CREATE TABLE posts (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  user_id uuid REFERENCES auth.users(id),
  title text NOT NULL,
  body text NOT NULL
);

✓ Good

-- migration.sql
CREATE TABLE posts (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  user_id uuid REFERENCES auth.users(id),
  title text NOT NULL,
  body text NOT NULL
);

ALTER TABLE posts ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Users can read own posts"
  ON posts FOR SELECT
  USING (auth.uid() = user_id);

How to fix

Add ALTER TABLE ... ENABLE ROW LEVEL SECURITY and at least one policy for every table in your Supabase migrations.

All rules