Skip to content
AI Coding GuildAI Coding Guild
Back to Skills
intermediateSecurity FirstGuild Member

Supabase Row Level Security Hardening

Lock down your Supabase database with bulletproof RLS policies. Because a public API key means anyone can try.

Public Skill Preview

Copy the safety prompt now. Unlock the full build workflow with Guild Member.

This page is intentionally public so you can evaluate the workflow before paying. The security scan prompt stays copy-ready for everyone. Guild Member unlocks the full build prompt, packaged workflow, and the deeper implementation guidance behind this skill.

Unlock Guild MemberOpen the safety starter pack
~40 minutes0 views

Overview

Supabase exposes your database via a public API key. That key is in your client-side JavaScript. Anyone can see it. The ONLY thing standing between your data and the world is Row Level Security (RLS). This skill teaches you to: - Understand why RLS is non-negotiable for Supabase apps - Enable RLS on every table (and verify none were missed) - Write policies for common patterns: user-owns-row, org membership, role-based access - Handle the service_role key safely (server-side only, never in the browser) - Test your policies by simulating different user roles - Set up a policy audit checklist you run before every deploy - Handle common gotchas: policies on views, RLS with joins, storage bucket policies - Create a monitoring query to detect tables without RLS If you're using Supabase and you haven't hardened your RLS, your database is essentially public. This skill fixes that.

Prerequisites

  • Supabase project
  • At least one table with data
  • Understanding of SQL basics

Tools Used

Supabase Dashboardpsql or SQL editorSupabase CLI

Step 1: Run the Security Scan FIRST

Security Scan Prompt

Always run this security scan before executing any generated code. Review every finding before proceeding.

Before applying any RLS policies from this skill:

1. NEVER run DROP POLICY or ALTER TABLE ... DISABLE ROW LEVEL SECURITY without understanding the impact
2. Verify no policies use `true` as the USING clause (that makes the table fully public)
3. Check that service_role policies use `auth.role() = 'service_role'` not a weaker check
4. Ensure no policies expose other users' data via overly broad conditions
5. Test every policy in a development environment BEFORE applying to production
6. Back up your current policies before making changes: SELECT * FROM pg_policies;

RLS mistakes can expose your entire database. Test thoroughly.

Step 2: Preview the Build Workflow

Guild Member Build Prompt

You can inspect the shape of the workflow here, but Guild Member unlocks the full prompt, packaged implementation steps, and the deeper lesson behind it.

I need to harden Row Level Security (RLS) on my Supabase database. Here's my setup:
**Tables**: [LIST YOUR TABLES]
**Auth provider**: Clerk (external, not Supabase Auth)
**Key relationships**: [DESCRIBE WHICH TABLES HAVE user_id, org_id, etc.]
1. **RLS Audit**: Check every table - is RLS enabled? Are there any tables with RLS disabled? Generate a SQL query I can run to find unprotected tables.
2. **Policy Templates**: For each table, create appropriate policies:

[Guild Member unlocks the remaining prompt steps and packaged workflow.]
See Guild Member pricingUse a public prompt pack instead
#rls#supabase#database#security#policies#intermediate