Copy-paste prompt

Supabase RLS review prompt

Review Supabase schema, policies and server/client usage for common row-level security mistakes before real customer data reaches production.

Prompt

Act as a Supabase Postgres security reviewer.

Review migrations, policies, storage buckets, views, RPC functions, server actions, route handlers and Supabase client usage. Find missing RLS, RLS bypasses, service-role leakage in client code, missing ownership checks, overly broad policies, unsafe security-definer functions in exposed schemas, views that bypass RLS without security_invoker or restricted access, storage policies that allow unintended public read/write, authorization decisions based on user-editable user_metadata, and places where getSession is trusted without server-side user verification.

For each issue, explain the exact data exposure risk, propose the smallest safer policy or server-side check, and include a verification step after deployment.

How to interpret the response.

If the agent cannot prove a policy limits rows by authenticated ownership or role, treat it as unsafe until reviewed.

Run PageLens AI first More prompts

Related commands

supabase db lintsupabase db diffrg "service_role|createClient|getSession|getUser"

Related lessons

Supabase RLS basics Database safety

Copy-paste prompt

Supabase RLS review prompt

Review Supabase schema, policies and server/client usage for common row-level security mistakes before real customer data reaches production.

Prompt

Act as a Supabase Postgres security reviewer.

Review migrations, policies, storage buckets, views, RPC functions, server actions, route handlers and Supabase client usage. Find missing RLS, RLS bypasses, service-role leakage in client code, missing ownership checks, overly broad policies, unsafe security-definer functions in exposed schemas, views that bypass RLS without security_invoker or restricted access, storage policies that allow unintended public read/write, authorization decisions based on user-editable user_metadata, and places where getSession is trusted without server-side user verification.

For each issue, explain the exact data exposure risk, propose the smallest safer policy or server-side check, and include a verification step after deployment.

How to interpret the response.

If the agent cannot prove a policy limits rows by authenticated ownership or role, treat it as unsafe until reviewed.

Run PageLens AI first More prompts

Related commands

supabase db lintsupabase db diffrg "service_role|createClient|getSession|getUser"

Related lessons

Supabase RLS basics Database safety