CRITICALSecuritytrivialNext.js + Supabase Standards

Enable RLS on every table

Every table must have Row Level Security enabled. Tables without RLS are fully accessible via the anon key.

Why This Matters

A single table without RLS allows any user with the anon key to read, insert, update, and delete all rows. This is the most common Supabase security mistake.

Related Rules

Use route groups to organize app sections

Architecture

HIGH

Colocate page files with their route segment

Architecture

MEDIUM

Use (select auth.uid()) instead of auth.uid() in policies

Performance

MEDIUM

Use kebab-case for file and directory names

Quality

MEDIUM

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 3+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why This Matters

Supabase exposes your database via a REST API using the anon key (which is public). Without RLS:

Any browser can query the table directly
No authentication required
Full CRUD access to all rows

Good

CREATE TABLE public.scans (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  organization_id uuid NOT NULL REFERENCES organization(id)
);
 
ALTER TABLE public.scans ENABLE ROW LEVEL SECURITY;
 
CREATE POLICY "Org members can view scans"
  ON public.scans FOR SELECT
  USING (is_org_member(organization_id));

Bad

CREATE TABLE public.scans (...);
-- Forgot to enable RLS — table is fully public!

Enable RLS on every table

Why This Matters

Tags

Related Rules

Catch this automatically on every PR

Why This Matters

Good

Bad