RLS Disabled in Public
Level: ERROR
Rationale
Tables in the public
schema are accessible over Supabase APIs. If row level security (RLS) is not enabled on a public
table, anyone with the project's URL can CREATE/READ/UPDATE/DELETE (CRUD) rows in the impacted table. Publicly exposing full CRUD to the internet is a critically unsafe configuration.
How to Resolve
To enable RLS on a table execute:
1 |
|
Note that after enabling RLS you will not be able to use the anon
role to read or write data to the table via Supabase APIs until you create row level security policies to control access.
Example
Given the schema:
1 2 3 4 5 |
|
Any user with access to the project's URL will be able to perform CRUD operations on the public.blog
table. To restrict access to users specified in row level security policies, enable RLS with:
1 |
|