GeneralSupabaseIntermediate9 min read

How to Set Up Supabase Row Level Security (RLS)

Protect your Supabase database with Row Level Security policies. The most important security step for any vibe coded app using Supabase.

Before you start

✓A Supabase project with at least one table
✓Basic understanding of SQL

Step by step

Enable RLS on your tables

RLS is disabled by default. Enable it for every table that contains user data.

ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
ALTER TABLE posts ENABLE ROW LEVEL SECURITY;
ALTER TABLE comments ENABLE ROW LEVEL SECURITY;

Create a 'users see own data' policy

The most common policy: users can only read and modify their own rows.

CREATE POLICY "Users see own data"
ON profiles FOR ALL
USING (auth.uid() = id)
WITH CHECK (auth.uid() = id);

Create a 'public read' policy

For content that should be publicly visible (like blog posts), allow anyone to read.

CREATE POLICY "Public can read published posts"
ON posts FOR SELECT
USING (published = true);

CREATE POLICY "Authors can manage own posts"
ON posts FOR ALL
USING (auth.uid() = author_id)
WITH CHECK (auth.uid() = author_id);

Test your policies

Use the Supabase SQL editor to test policies by switching roles.

-- Test as an authenticated user:
SET request.jwt.claim.sub = 'user-uuid-here';
SET role TO 'authenticated';
SELECT * FROM profiles;

-- Test as anonymous:
SET role TO 'anon';
SELECT * FROM posts;

Handle service-role access

Your backend sometimes needs to bypass RLS (e.g., admin operations). Use the service role key for this.

// Server-side only — never expose in browser:
import { createClient } from '@supabase/supabase-js'

const supabaseAdmin = createClient(
  process.env.SUPABASE_URL,
  process.env.SUPABASE_SERVICE_ROLE_KEY
)
// This client bypasses RLS