[{"data":1,"prerenderedAt":214},["ShallowReactive",2],{"blog-glossary/rls":3},{"id":4,"title":5,"body":6,"category":190,"date":191,"dateModified":191,"description":192,"draft":193,"extension":194,"faq":195,"featured":193,"headerVariant":199,"image":200,"keywords":200,"meta":201,"navigation":202,"ogDescription":203,"ogTitle":200,"path":204,"readTime":205,"schemaOrg":206,"schemaType":207,"seo":208,"sitemap":209,"stem":210,"tags":211,"twitterCard":212,"__hash__":213},"blog/blog/glossary/rls.md","What is Row Level Security (RLS)? Supabase Guide",{"type":7,"value":8,"toc":176},"minimark",[9,16,21,24,27,31,34,49,53,56,69,73,78,81,90,94,97,103,107,123,145,164],[10,11,12],"tldr",{},[13,14,15],"p",{},"Row Level Security (RLS) is a database feature that controls which rows each user can see or modify. Instead of filtering data in your app code, the database itself enforces access rules. In Supabase, RLS is critical because your anon key is public. Without RLS policies, anyone could read your entire database. Enable RLS on every table and write policies that restrict access to each user's own data.",[17,18,20],"h2",{"id":19},"the-simple-explanation","The Simple Explanation",[13,22,23],{},"Imagine a shared Google Sheets document where everyone can only see rows they created. They don't even know other rows exist. That's what RLS does for your database.",[13,25,26],{},"Without RLS, your database is like a spreadsheet where everyone can see everything. With RLS, each user has their own filtered view.",[17,28,30],{"id":29},"why-rls-matters-for-supabase-apps","Why RLS Matters for Supabase Apps",[13,32,33],{},"Supabase is designed to let you query the database directly from your frontend. The JavaScript client uses an \"anon key\" that anyone can see in your page source. This is intentional and safe, but only if you have RLS enabled.",[35,36,37],"warning-box",{},[13,38,39,43,44,48],{},[40,41,42],"strong",{},"Without RLS:"," Anyone with your anon key can run queries like ",[45,46,47],"code",{},"SELECT * FROM users"," and get EVERYONE's data. This is the #1 security mistake in Supabase apps.",[17,50,52],{"id":51},"how-rls-works","How RLS Works",[13,54,55],{},"RLS uses policies that act like automatic WHERE clauses. When a user queries the database, the policy adds conditions to filter the results.",[57,58,60,63,66],"prompt-box",{"title":59},"Enable RLS and add policy",[13,61,62],{},"-- Enable RLS on the table\nALTER TABLE posts ENABLE ROW LEVEL SECURITY;",[13,64,65],{},"-- Users can only see their own posts\nCREATE POLICY \"Users see own posts\" ON posts\nFOR SELECT USING (auth.uid() = user_id);",[13,67,68],{},"-- Users can only insert as themselves\nCREATE POLICY \"Users insert own posts\" ON posts\nFOR INSERT WITH CHECK (auth.uid() = user_id);",[17,70,72],{"id":71},"common-rls-patterns","Common RLS Patterns",[74,75,77],"h3",{"id":76},"public-read-owner-write","Public Read, Owner Write",[13,79,80],{},"Anyone can view, but only the owner can modify:",[57,82,84,87],{"title":83},"Public profiles pattern",[13,85,86],{},"-- Anyone can read profiles\nCREATE POLICY \"Public profiles are viewable\"\nON profiles FOR SELECT USING (true);",[13,88,89],{},"-- Only owner can update\nCREATE POLICY \"Users can update own profile\"\nON profiles FOR UPDATE\nUSING (auth.uid() = id);",[74,91,93],{"id":92},"team-based-access","Team-Based Access",[13,95,96],{},"Users can access data from their team:",[57,98,100],{"title":99},"Team access pattern",[13,101,102],{},"CREATE POLICY \"Team members can view team data\"\nON projects FOR SELECT\nUSING (\nteam_id IN (\nSELECT team_id FROM team_members\nWHERE user_id = auth.uid()\n)\n);",[17,104,106],{"id":105},"testing-your-rls-policies","Testing Your RLS Policies",[108,109,110,114,117,120],"ol",{},[111,112,113],"li",{},"Log in as User A, create some data",[111,115,116],{},"Log in as User B, try to view User A's data",[111,118,119],{},"User B should see empty results or only their own data",[111,121,122],{},"Try updating/deleting User A's data as User B (should fail)",[124,125,126,133,139],"faq-section",{},[127,128,130],"faq-item",{"question":129},"What happens if I don't enable RLS in Supabase?",[13,131,132],{},"Without RLS enabled, anyone with your Supabase anon key can read, modify, or delete ALL data in your tables. Since the anon key is visible in your frontend code, this means any user could access every other user's data. This is one of the most common security mistakes in Supabase apps.",[127,134,136],{"question":135},"Do I need RLS if I only access the database from my backend?",[13,137,138],{},"If you only use the service_role key from your backend and never expose the anon key in frontend code, you could theoretically skip RLS. However, RLS is still recommended as defense in depth. It protects against bugs in your backend code that might accidentally expose data.",[127,140,142],{"question":141},"How do I test if my RLS policies are working?",[13,143,144],{},"In Supabase, use the SQL Editor to test policies by setting the role. Run SET ROLE authenticated; then try SELECT queries. You can also use the Supabase client logged in as different test users to verify they only see their own data.",[146,147,148,154,159],"related-articles",{},[149,150],"related-card",{"description":151,"href":152,"title":153},"RLS is a form of authorization","/blog/glossary/authorization","Authorization",[149,155],{"description":156,"href":157,"title":158},"Another database security risk","/blog/glossary/sql-injection","SQL Injection",[149,160],{"description":161,"href":162,"title":163},"What RLS prevents","/blog/glossary/idor","IDOR",[165,166,169,173],"cta-box",{"href":167,"label":168},"/","Start Free Scan",[17,170,172],{"id":171},"check-your-rls","Check Your RLS",[13,174,175],{},"Scan your Supabase project for missing RLS policies.",{"title":177,"searchDepth":178,"depth":178,"links":179},"",2,[180,181,182,183,188,189],{"id":19,"depth":178,"text":20},{"id":29,"depth":178,"text":30},{"id":51,"depth":178,"text":52},{"id":71,"depth":178,"text":72,"children":184},[185,187],{"id":76,"depth":186,"text":77},3,{"id":92,"depth":186,"text":93},{"id":105,"depth":178,"text":106},{"id":171,"depth":178,"text":172},"glossary","2026-01-12","Learn what Row Level Security is, why it matters for Supabase apps, and how to implement RLS policies. Essential security for vibe-coded database apps.",false,"md",[196,197,198],{"question":129,"answer":132},{"question":135,"answer":138},{"question":141,"answer":144},"green",null,{},true,"Database-level security that ensures users only see their own data.","/blog/glossary/rls","6 min read","[object Object]","DefinedTerm",{"title":5,"description":192},{"loc":204},"blog/glossary/rls",[],"summary_large_image","ynFGFzETMtPK-7ol-SMTvXeQCZICZIvfCTa0F3EAKc4",1775843921985]