Your Supabase login is decoration if RLS is off

AI leaves Row Level Security off, so the public anon key in your frontend can read and write your entire database from the browser. How to check and fix it.

Your Supabase app looks locked down — you log in, the right data appears. But if Row Level Security is off, anyone can skip your app entirely and read or write your whole database from the browser.

What you shipped

Your app talks to Supabase with a public anon key — and that key ships inside your frontend bundle, visible to every visitor. Row Level Security (RLS) is the thing that stops that key from touching data it shouldn’t. AI often leaves it off:

Spot the bug

With RLS off, the public key is effectively a master key.

How anyone exploits it

Open the browser console on your site and talk to the database directly:

await supabase.from('users').select('*')    // every user
await supabase.from('orders').update(...)    // anyone's order

Your login screen is decoration. The data underneath has no lock.

Why you won’t catch it

RLS being off never throws an error — it silently allows everything. Your app keeps working perfectly, every test passes, and nothing warns you. You find out when someone dumps a table.

Why AI leaves it off

“Off” is the default state of a new table, and the app works fine without policies during development. Turning RLS on actually adds friction (now you must write policies), so the happy path skips it.

The fix

Enable RLS on every table, then write policies that scope rows to their owner:

The fix

alter table orders enable row level security;

create policy "own orders" on orders
  for select using (auth.uid() = user_id);

Check your app

Every table has RLS enabled (one table left off is the whole breach).
Policies scope rows by auth.uid(), not using (true).
Storage buckets aren’t public when they hold user uploads.
The service-role key is never used in the frontend (it bypasses RLS entirely).

The bigger problem

A senior dev turns RLS on before shipping by reflex. But nothing in the build reminds you it’s off — the app works, the demo works, the tests pass. The author and reviewer are the same model with the same blind spot.

That’s the gap Velify is built to close: it reads your project and flags exactly this, in plain language, no terminal.

Join the early list at getvelify.app →