Supabase Backend Launch Security Checklist

TL;DR

Supabase security centers on Row Level Security (RLS). Before launch, enable RLS on ALL tables, verify each policy works correctly, never expose the service_role key, test that users can only access their own data, and configure auth settings for your use case.

Row Level Security (RLS) 6

Enable RLS on EVERY tableGo to each table in dashboard, verify RLS is ON. No exceptions.

Review each RLS policyPolicies should use auth.uid() to restrict access to user's own data

Check junction/link tablesTables connecting users to resources often miss RLS

Test SELECT policiesCan User A read User B's data? They shouldn't be able to.

Test INSERT/UPDATE/DELETE policiesCan users modify data they don't own? Test each operation.

::checklist-item{label="Check for overly permissive policies" description="Policies with "true" allow everyone. Only use intentionally."} ::

API Keys 4

Verify service_role key is never in client codeSearch for service_role in your codebase. It bypasses RLS!

Only use anon key in browserThe anon key is safe for client-side use because RLS protects data

Check environment variablesNEXT_PUBLIC_SUPABASE_ANON_KEY is fine. service_role key must be server-only.

Rotate keys if accidentally exposedIf service_role was exposed, rotate immediately in dashboard

Authentication 4

Configure auth providersOnly enable providers you actually use

Set up email templatesCustomize confirmation and recovery emails

Configure redirect URLsAdd your production domain to allowed redirect URLs

Test email verification (if enabled)Verify users can't access app without confirming email

Additional Security 4

Review Edge Functions (if using)Add auth checks to Edge Functions that access sensitive data

Check Storage bucket policiesStorage also uses RLS-style policies. Review them.

Enable database backupsGo to Settings > Database > Backups

Run automated security scanCatch issues you may have missed

What should I check before launching with Supabase?

Before launching with Supabase, verify RLS is enabled on ALL tables, review each RLS policy, ensure the service_role key is never exposed to clients, test data isolation between users, and configure auth settings appropriately.

Is it safe to use the Supabase anon key in the browser?

Yes, the anon key is designed for client-side use. It only provides access that your RLS policies allow. The service_role key bypasses RLS and must never be exposed to clients.

Supabase Backend Launch Security Checklist: 18 Items Before Going Live