Supabase Security Checklist: 24-Item Guide for RLS and Beyond

TL;DR

Enable RLS on every table. Write policies for SELECT, INSERT, UPDATE, DELETE. Keep the service role key server-side only. Configure storage bucket policies. This 24-item checklist covers all Supabase security essentials. 7 critical items must be fixed before launch, 10 important items within the first week, and 7 recommended items when you can.

Supabase gives you a Postgres database with a direct API, which is powerful but means misconfigured RLS can expose your entire dataset to the internet. I have seen too many projects ship with RLS disabled "temporarily" and forget about it. Walk through each item here, especially if you set up your tables in a hurry.

Quick Checklist (5 Critical Items)

::checklist-item{label="RLS enabled on ALL tables" description="Check each table - "RLS Enabled" should be green"} ::

service_role key NEVER in browserService role bypasses RLS - only use server-side

SELECT policies defined for all tablesUsers should only see their own data

Policies use auth.uid() correctlyCompare user_id column with auth.uid() for ownership

No keys hardcoded in source codeSearch for your Supabase project URL in code

Row Level Security (RLS) 6

::checklist-item{label="RLS enabled on ALL tables" description="Check each table in Supabase dashboard - "RLS Enabled" should be green. How to set up Supabase RLS"} ::

SELECT policies definedUsers should only see their own data unless intentionally public. How to write RLS policies

INSERT policies definedVerify user can only insert records for themselves. How to write RLS policies

UPDATE policies definedUsers can only update their own records. How to write RLS policies

DELETE policies definedUsers can only delete their own records. How to write RLS policies

Policies use auth.uid() correctlyCompare user_id column with auth.uid() for ownership checks. How to test RLS policies

API Keys 4

anon key used in browserThe anon/public key is safe for client-side use WITH RLS enabled. How to separate client/server keys

service_role key NEVER in browserService role bypasses RLS - only use server-side. How to protect service role key

service_role key in environment variablesStore in .env.local (not committed) or hosting platform secrets. How to configure env variables

No keys in source codeSearch for your Supabase project URL to find any hardcoded keys. How to secure API keys

Storage Buckets 4

Bucket policies configuredEach storage bucket should have appropriate access policies. How to configure storage policies

Public buckets are intentionally publicOnly make buckets public if the content should be world-readable. How to configure public buckets

File type restrictionsRestrict uploads to expected file types (images, documents, etc.). How to secure file uploads

File size limitsSet maximum file size to prevent abuse. How to set file size limits

Authentication 4

Email confirmations enabled (if needed)Require email verification before account access. How to configure email confirmation

Password strength requirementsConfigure minimum password requirements in Auth settings. How to set password requirements

OAuth providers configured securelyRedirect URLs and scopes properly configured. How to configure OAuth

JWT expiry configuredBalance security (shorter) vs UX (longer) for token expiry. How to configure JWT expiry

Edge Functions 3

Functions verify JWTCheck Authorization header and verify JWT in Edge Functions. How to verify JWT in Edge Functions

CORS configured properlyOnly allow requests from your domains. How to configure CORS

Input validation in functionsValidate and sanitize all input to Edge Functions. How to validate on server

Database 3

No public schemas exposed unnecessarilyCheck API settings for which schemas are exposed. How to manage schema exposure

Sensitive columns excluded from APIUse column grants or views to hide sensitive fields. How to hide sensitive columns

Database backups enabledPro plan includes Point-in-Time Recovery. How to configure backups

How to Use This Checklist

Go through each item before deploying your Supabase project. If you find an issue, fix it before moving on. Use the Supabase Dashboard's "API Docs" to test your RLS policies. Try accessing data as different users to verify policies work correctly.

What is Row Level Security (RLS) in Supabase?

Row Level Security is a PostgreSQL feature that allows you to control which rows a user can access. In Supabase, RLS policies ensure users can only read, insert, update, or delete rows they're authorized to access based on their authentication status.

What's the difference between anon key and service role key?

The anon key is safe for browser use and respects RLS policies. The service role key bypasses all RLS and should ONLY be used server-side. Never expose the service role key in client-side code.

Do I need RLS if I only access Supabase from the server?

Yes. Even with server-only access, RLS provides defense in depth. If your server-side code has a bug or vulnerability, RLS can prevent unauthorized data access. It's an important security layer.