Comment by _fat_santa

Comment by _fat_santa 4 hours ago

4 replies

View on Hacker News

It's kinda shocking that the same Supabase RLS security hole we saw so many times in past vibe coded apps is still in this one. I've never used Supabase but at this point I'm kinda curious what steps actually lead to this security hole.

In every project I've worked on, PG is only accessible via your backend and your backend is the one that's actually enforcing the security policies. When I first heard about the Superbase RLS issue the voice inside of my head was screaming: "if RLS is the only thing stopping people from reading everything in your DB then you have much much bigger problems"

xXSLAYERXx 3 hours ago

Just started vibing and have integrated codex into my side project which uses Supabase. I turned off RLS so that could iterate quickly and not have to mess with security policies. Fully understand that this isn't production grade and have every intention of locking it down when I feel the time is right. I access it from a ReactNative app - no server in the middle. Codex does not have access to my Supabase instance.

Reply View 2 replies
  • ryanjshaw 3 hours ago

    RLS doesn’t slow you down. It actually speeds things up because you are forced to design things properly. It’s like type checking.

    Reply View 1 reply
    • xXSLAYERXx 3 hours ago

      That makes sense and appreciate the response. Definitely a topic I need to invest more time with if that is the case.

      Reply View 0 replies
bgschulman31 2 hours ago

My thought exactly. Is this standard practice with using Supabase to simply expose the production database endpoint to the world with only RLS to protect you?

Reply View 0 replies