Last updated: January 12, 2026
Use this checklist to ensure your Supabase application is secure before launch. 6 critical items require immediate attention.
ALTER TABLE x ENABLE ROW LEVEL SECURITY;
Control who can read data
Control who can create data
Control who can modify data
Control who can remove data
Performance optimization for RLS
This key is public by design
Never expose in client code
Generate new keys in dashboard
Verify auth.uid() in RPC functions
Understand implications of elevated privileges
Validate parameters in functions
Require email verification
Set minimum requirements
Protect against brute force
VAS automatically checks 8 of these 15 items. Get instant results with detailed remediation guidance.
Run Automated Security ScanEach CRUD operation (SELECT, INSERT, UPDATE, DELETE) needs its own policy. A table with RLS enabled but no policies blocks ALL access. A table with only SELECT policy allows reads but blocks writes. You need policies for every operation your app performs.
Using (select auth.uid()) instead of auth.uid() in RLS policies improves performance. The subquery evaluates once per query rather than once per row. On large tables, this can significantly speed up queries. Supabase linter warns about this.