ERR-884/stack trace

ERR-884

Is your Lovable Supabase RLS disabled? How to enable it properly

Is your Lovable Supabase RLS disabled? How to enable it properly

Last updated 15 April 2026 · 7 min read · By Hyder Shah

Emergency triage — $299 Free diagnostic

Direct answer

Roughly 70% of Lovable-built apps ship with Supabase Row Level Security disabled. The widely-reported February 2026 Lovable/Supabase RLS disclosure captured the failure at scale through this single misconfiguration. Fix: enable RLS on every table, add per-user auth.uid() = user_id policies, rotate the anon key. Total time: 15 minutes.

Quick fix for Is your Lovable Supabase RLS disabled

Start here

Audit every table

Supabase Dashboard → Database → Tables. For each table, check the RLS column. Note which are off. Do not skip internal tables — profiles, posts, subscriptions, messages are the usual leaks.

Deeper fixes when the quick fix fails

Enable RLS on every table

alter table public.profiles enable row level security;
alter table public.posts enable row level security;
-- repeat for every table

Add per-user SELECT / INSERT / UPDATE / DELETE policies

create policy "own rows read"
  on public.posts for select
  using (auth.uid() = user_id);

create policy "own rows write"
  on public.posts for insert
  with check (auth.uid() = user_id);

create policy "own rows update"
  on public.posts for update
  using (auth.uid() = user_id)
  with check (auth.uid() = user_id);

04
Test with two users in incognito windows
Log in as User A in one window, User B in another. User A must not see any of User B’s rows. If you see any, your policy is wrong — often the with check clause is missing on INSERT/UPDATE.
05
Rotate the anon and service_role keys
If RLS was off for any period, assume bots have scraped the data. Supabase Dashboard → Project Settings → API→ Reset keys. Update your production env and redeploy.
06
Notify affected users if required
Under GDPR, CCPA, and most other regimes, a personal-data exposure requires disclosure. Consult counsel. Draft the email with a specific date range and a specific mitigation (keys rotated, RLS enabled, monitoring added).

Why AI-built apps hit Is your Lovable Supabase RLS disabled

Supabase ships with RLS disabled by default on new tables. Lovable creates tables via migrations without automatically enabling RLS or adding policies. Preview still works because Lovable’s own session is the only one hitting the database. The moment real users arrive, every row is readable by every logged-in user — and if anon has SELECT grant, by unauthenticated visitors too.

This is the “authenticated users were blocked, unauthenticated visitors had full access” pattern in the February 2026 incident. Same class of bug as every other public Supabase-leak story for three years running.

“Authenticated users were blocked. Unauthenticated visitors had full access to all data.”

The Register — Lovable security incident, Feb 2026[source]

Diagnose Is your Lovable Supabase RLS disabled by failure mode

Check each table’s RLS state against this matrix.

State	What it means	Action
RLS off	Anyone with anon key reads everything	Enable immediately + rotate anon key
RLS on, no policies	Nobody can read anything	Add at least one SELECT policy
RLS on, policy = true	Same as RLS off — useless	Rewrite with auth.uid() = user_id
RLS on, auth.uid() policy	Correct per-user isolation	Test with 2 accounts

Related errors we fix

Still stuck with Is your Lovable Supabase RLS disabled?

Emergency triage · $299 · 48h turnaround

We restore service and write the root-cause report.

If RLS has been off for weeks, rotate keys and audit now.

→You launched without checking RLS
→Another developer built the Supabase schema
→You want a written report for investors or counsel

start the triage →

Free 30-min diagnostic

Deploy-to-Production Pass

$1,999 · 7 days

Is your Lovable Supabase RLS disabled questions

How do I check if RLS is enabled on my Lovable Supabase tables?+

Open the Supabase dashboard, go to Database → Tables. Each table shows an RLS status column. If any table says 'disabled' or 'off', you have a live security hole. Check every table including the ones you didn't manually create — Lovable often creates auxiliary tables (profiles, sessions) you might not know about.

Why is RLS disabled by default on Lovable apps?+

Supabase ships RLS disabled on new tables to avoid confusing developers during local development. Lovable uses Supabase's default behavior and does not automatically enable RLS or add policies. This is a known gap — roughly 70% of Lovable apps we audit ship with RLS off on at least one table.

What's the minimum RLS policy I need on a Lovable app?+

For any table with user-owned rows, you need four policies: SELECT using auth.uid() = user_id, INSERT with check auth.uid() = user_id, UPDATE using and with check auth.uid() = user_id, and DELETE using auth.uid() = user_id. Missing any one creates a specific hole — missing INSERT with check, for example, lets any user create rows on behalf of any other user.

Do I need to rotate my Supabase anon key after enabling RLS?+

Yes, if RLS was ever off in production. Your anon key has been exposed to every client that ever loaded your app, and bots scrape public Supabase URLs continuously. Rotate the anon key and service_role key, redeploy with the new values, and assume any data that was reachable via the old key has been read.

How much does a Lovable security audit cost?+

Our fixed-price Lovable Security Audit is $499 with 48-hour turnaround. It covers RLS on every table, secrets exposure, auth logic, CORS, rate limiting, and webhook signature validation. You get a written report with copy-pasteable SQL patches.

Next step

Ship the fix. Keep the fix.

Emergency Triage restores service in 48 hours. Break the Fix Loop rebuilds CI so this error cannot ship again.

Emergency triage — $299 Free diagnostic

About the author

Hyder Shah leads Afterbuild Labs, shipping production rescues for apps built in Lovable, Bolt.new, Cursor, Replit, v0, and Base44. our rescue methodology.

Is your Lovable Supabase RLS disabled experts

If this problem keeps coming back, you probably need ongoing expertise in the underlying stack.