CRITICALSecuritysmallNext.js + Supabase Standards

Write restrictive RLS policies — deny by default

RLS defaults to deny all. Only add the specific policies you need. Never use USING (true) on private tables.

Why This Matters

A permissive USING (true) policy on a table with sensitive data exposes all rows to all users, negating the purpose of RLS.

Related Rules

Use route groups to organize app sections

Architecture

HIGH

Colocate page files with their route segment

Architecture

MEDIUM

Use (select auth.uid()) instead of auth.uid() in policies

Performance

MEDIUM

Use kebab-case for file and directory names

Quality

MEDIUM

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

RLS is deny-by-default. With no policies, nobody can access rows. Add only what you need.

Good

-- Only org members can see their own org's data
CREATE POLICY "org_read" ON scans
  FOR SELECT USING (is_org_member(organization_id));
 
-- Only published public content is visible to anon
CREATE POLICY "public_read" ON rules
  FOR SELECT USING (is_published = true AND visibility = 'public');

Bad

-- DANGEROUS: Everyone can read everything
CREATE POLICY "anyone_can_read" ON scans
  FOR SELECT USING (true);

Write restrictive RLS policies — deny by default

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Good

Bad