Comment by JustSkyfall
10 hours ago
Supabase seriously needs to work on its messaging around RLS. I have seen _so_ many apps get hacked because the devs didn't add a proper RLS policy and end up exposing all of their data.
(As an aside, accessing the DB through the frontend has always been weird to me. You almost certainly have a backend anyway, use it to fetch the data!)
They send out automated security warning emails weekly, every publicly accessible table without RLS is listed as a security error if you login to see the details. Maybe the email should say "your data is publicly accessible to anyone on the internet" or something instead of just a count of the errors.
It really Should be as simple as denying public access until RLS policy exists.