ShipSealed · guides

Supabase RLS guides

Row-Level Security done right — enable it, scope policies, go multi-tenant, fix the errors that leak, and prove tenant isolation with tests. Every snippet is real and tested against a database.

◆ START HERE · PILLARSupabase security checklist before launchThe pre-launch Supabase security checklist: RLS on every table, policies scoped to the user, WITH CHECK on writes, no permissive policies, service_role server-only, and an isolation test in CI — each with the guide to do it. Fix: new row violates row-level security policySupabase RLS · Error fixHow to enable Row-Level Security on a Supabase tableSupabase RLS · How-toHow to write an owner-scoped RLS policy (SELECT / INSERT / UPDATE / DELETE)Supabase RLS · Policy patternMulti-tenant RLS with workspaces in SupabaseSupabase RLS · Multi-tenantHow to test tenant isolation in Supabase (RLS)Supabase RLS · TestingUSING (true) is a security hole — how to fix a permissive RLS policySupabase RLS · FixWhy is my Supabase table public? (RLS is off)Supabase RLS · LeakNext.js App Router + Supabase auth with RLS (SSR)Supabase RLS · Next.jsRLS in CI: fail the build when a table ships exposedSupabase RLS · CIowner_id vs workspace_id: which RLS pattern to useSupabase RLS · DecisionRLS vs app-layer authorization: which and whySupabase RLS · Decision
FREE · MIT

Make RLS the default

Start from nextjs-supabase-starter, gate it in CI with npx airlock-rls, or grab the one-page cheat sheet.