zlacker

[parent] [thread] 2 comments
1. JustSk+(OP)[view] [source] 2026-02-02 22:00:50
Supabase seriously needs to work on its messaging around RLS. I have seen _so_ many apps get hacked because the devs didn't add a proper RLS policy and end up exposing all of their data.

(As an aside, accessing the DB through the frontend has always been weird to me. You almost certainly have a backend anyway, use it to fetch the data!)

replies(2): >>twodav+U >>passwo+bD
2. twodav+U[view] [source] 2026-02-02 22:04:05
>>JustSk+(OP)
It really Should be as simple as denying public access until RLS policy exists.
3. passwo+bD[view] [source] 2026-02-03 00:56:47
>>JustSk+(OP)
They send out automated security warning emails weekly, every publicly accessible table without RLS is listed as a security error if you login to see the details. Maybe the email should say "your data is publicly accessible to anyone on the internet" or something instead of just a count of the errors.
[go to top]