Comment by JustSkyfall

Comment by JustSkyfall 3 hours ago

2 replies

View on Hacker News

Supabase seriously needs to work on its messaging around RLS. I have seen _so_ many apps get hacked because the devs didn't add a proper RLS policy and end up exposing all of their data.

(As an aside, accessing the DB through the frontend has always been weird to me. You almost certainly have a backend anyway, use it to fetch the data!)

password4321 19 minutes ago

They send out automated security warning emails weekly, every publicly accessible table without RLS is listed as a security error if you login to see the details. Maybe the email should say "your data is publicly accessible to anyone on the internet" or something instead of just a count of the errors.

Reply View 0 replies
twodave 3 hours ago

It really Should be as simple as denying public access until RLS policy exists.

Reply View 0 replies