Security
SecurityCritical

Supabase Row Level Security

Checks that Supabase tables have Row Level Security (RLS) enabled with policies.

What this check measures

If the audit detects Supabase usage (the anon key visible in JS), we attempt a `select *` from commonly named tables (users, profiles, posts) using the anon key. If data returns, RLS is missing — critical.

Why it matters

Without RLS, anyone with your anon key (which is in your JS) can run any query. We regularly audit Lovable apps where `select * from users` returns every customer's email from a browser tab. This is the #1 security issue we find.

search

How our audit detects it

Detect Supabase URL + anon key in JS. Attempt unauth'd REST queries against common table names. Any successful query = RLS missing on that table.

Typical findings

  • error_outlineusers table queryable by anon — email, hashed passwords, everything leaked.
  • error_outlineRLS enabled but no policies — table is locked, but developer "fixes" by disabling RLS again.
  • error_outlineservice_role key used in a client file — bypasses RLS entirely.

How to fix

Enable RLS on every table: `alter table X enable row level security;`. Add policies matching your access pattern (e.g., `using (auth.uid() = user_id)`). Test from incognito browser — no data should leak.

Copy-paste fix prompt for your stack

Lovable · Cursor · Bolt · v0 · Replit · Windsurf · Claude Code · Base44

View the fix prompt →

Frequently asked questions

Why does enabling RLS break things?expand_more
Because enabling RLS without policies blocks all access. Add policies matching your access pattern.
Can I skip RLS for admin tables?expand_more
Only if you NEVER touch them from client code. Defense in depth — enable anyway; future-you will expose them to the client eventually.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward