RLS
9 min read
Supabase RLS audit checklist: what to verify before production
Open A practical Supabase RLS audit checklist covering enabled RLS, FORCE RLS, grants, policy scope, views, RPC functions, Storage, and regression checks.
Supabase security field notes
Field guides for real Supabase exposure checks.
Each guide covers exact checks, SQL, risk signals, and remediation patterns for production Supabase apps.
Editorial bar
- Search intent first
- Concrete SQL verification
- Backend-only remediation paths
RLS
Supabase RLS audit checklist: what to verify before productionA practical Supabase RLS audit checklist covering enabled RLS, FORCE RLS, grants, policy scope, views, RPC functions, Storage, and regression checks.
Read guideGrants
Supabase anon and authenticated grants: the hidden exposure layerHow Supabase anon/authenticated grants interact with RLS, why broad grants create public attack surface, and how to move sensitive access backend-only.
Read guideStorage
Supabase Storage private files: avoid bucket, listing, and signed URL leaksA technical guide to Supabase Storage privacy covering bucket visibility, object listing, object path predictability, signed URL TTL, and backend download flows.
Read guideAll guides
Built for operators.
Short, technical writeups with verification steps and fix patterns.
Grants
8 min read
Supabase anon and authenticated grants: the hidden exposure layer
Open How Supabase anon/authenticated grants interact with RLS, why broad grants create public attack surface, and how to move sensitive access backend-only.
Storage
7 min read
Supabase Storage private files: avoid bucket, listing, and signed URL leaks
Open A technical guide to Supabase Storage privacy covering bucket visibility, object listing, object path predictability, signed URL TTL, and backend download flows.
RPC
8 min read
Supabase RPC and SECURITY DEFINER review: stop function-level bypasses
Open Review Supabase RPC exposure, EXECUTE grants, SECURITY DEFINER functions, search_path safety, parameter authorization, and backend-only wrappers.
Next.js
7 min read
NEXT_PUBLIC secret leakage: how to audit Supabase keys in Next.js
Open How to audit Next.js environment variables, Supabase anon/service-role keys, bundle exposure, server-only code paths, and build-time leak prevention.
Architecture
9 min read
Backend-only Supabase access: a cleaner pattern for sensitive products
Open A thoughtful backend-only Supabase security pattern for sensitive tables, combining revoked client grants, server routes, explicit authorization, and RLS defense in depth.