HIGHSecuritysmallNext.js + Supabase Standards

Use the anon key for public-facing pages

Public pages (explore, content detail) should use createReadOnlyClient() with the anon key, not the service_role.

Why This Matters

Using service_role for public page reads bypasses RLS unnecessarily, removing a security layer and potentially exposing private data if a query filter is wrong.

Related Rules

Use route groups to organize app sections

Architecture

HIGH

Colocate page files with their route segment

Architecture

MEDIUM

Use (select auth.uid()) instead of auth.uid() in policies

Performance

MEDIUM

Use kebab-case for file and directory names

Quality

MEDIUM

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

RLS is defense-in-depth. Even on public pages, RLS ensures:

Only is_published = true content is visible
Private org content stays private
No accidental data exposure from query bugs

Good

// Public explore page
const supabase = createReadOnlyClient()
const { data } = await supabase
  .from("rules")
  .select("*")
  .eq("is_published", true)
  .eq("visibility", "public")

Bad

// Using admin client for reads — bypasses RLS!
const admin = createAdminClient()
const { data } = await admin.from("rules").select("*")

Use the anon key for public-facing pages

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Good

Bad