Skip to content

RLS Disabled in Public

Level: ERROR

Rationale

Tables in the public schema are accessible over Supabase APIs. If row level security (RLS) is not enabled on a public table, anyone with the project's URL can CREATE/READ/UPDATE/DELETE (CRUD) rows in the impacted table. Publicly exposing full CRUD to the internet is a critically unsafe configuration.

How to Resolve

To enable RLS on a table execute:

1
alter table <schema>.<table> enable row level security;

Note that after enabling RLS you will not be able to use the anon role to read or write data to the table via Supabase APIs until you create row level security policies to control access.

Example

Given the schema:

1
2
3
4
5
create table public.blog(
    id int primary key,
    user_id uuid not null,
    title text not null
);

Any user with access to the project's URL will be able to perform CRUD operations on the public.blog table. To restrict access to users specified in row level security policies, enable RLS with:

1
alter table public.blog enable row level security;