Back to roadmaps supabase Course
Table of Contents (14 guides)

Row Level Security: Database Firewall

Because Supabase generates a RESTful API that is accessible directly from client-side scripts, any user can inspect network traffic and attempt to fetch or modify records. To secure your database tables, you must enable Row Level Security (RLS).

1. What is Row Level Security?

Row Level Security is a security mechanism built directly into PostgreSQL. When RLS is enabled on a table, all queries against that table are filtered by security policies defined in the database.

If a query does not match the rules defined in your RLS policies, PostgreSQL returns an empty array or blocks the transaction, even if the database credentials are correct.

2. Why Anon Keys are Not Enough

When you configure your client instance:

// Initializing client with public credentials
export const supabase = createClient(SUPABASE_URL, ANON_KEY);

The public ANON_KEY only authorizes access to the PostgREST API gateway; it does not grant access to specific table rows. Without enabling RLS and defining explicit policies:

  • Anyone can bypass your application business logic and query your database tables directly.
  • Users can view or delete records belonging to other users.

3. How RLS Authorizes Requests

When an authenticated user executes a query:

  1. The client sends the user JSON Web Token (JWT) in the request header.
  2. PostgreSQL decodes the JWT to verify the user identity.
  3. PostgreSQL evaluates the table RLS policies using built-in helper functions (like auth.uid() or auth.email()).
  4. Only database rows that evaluate to true are returned in the response payload.
Published on Last updated:
Previous Guide Social Login: OAuth Providers Setup Next Guide Configuring Granular Security Policies