RLS misconfiguration occurs when database tables lack proper row-level access controls, allowing unauthorized users to read, modify, or delete any data.
Scan for This VulnerabilityRow Level Security (RLS) is a PostgreSQL feature used by Supabase to control which rows users can access. When RLS is disabled or misconfigured, your entire database becomes accessible to anyone with your public anon key - which is visible in your frontend code by design.
Complete data breach - attackers can read all user data
Data manipulation - attackers can modify or delete records
Privacy violations and regulatory non-compliance
Reputational damage and loss of user trust
Potential legal liability
First, enable Row Level Security on every table that contains data.
-- Enable RLS
ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
ALTER TABLE posts ENABLE ROW LEVEL SECURITY;
ALTER TABLE messages ENABLE ROW LEVEL SECURITY;Write policies that check authentication and restrict access to user's own data.
-- Users can only read their own profile
CREATE POLICY "Users read own profile" ON profiles
FOR SELECT TO authenticated
USING ((select auth.uid()) = id);
-- Users can only update their own profile
CREATE POLICY "Users update own profile" ON profiles
FOR UPDATE TO authenticated
USING ((select auth.uid()) = id);Verify policies work by querying as different user contexts.
-- As anonymous user, this should return nothing:
SELECT * FROM profiles;
-- As authenticated user, should only return own data:
SELECT * FROM profiles WHERE id = auth.uid();VAS automatically scans for row level security (rls) misconfiguration and provides detailed remediation guidance.
Run Security Scan