afterbuild/ops
Solution

Fix Supabase RLS — before you leak data.

Row-level security is disabled on most AI-built Supabase apps. Across the apps we audit, 94% have no RLS policies at all. Here's how we fix that.

Get a free RLS auditSee what RLS does
Quick verdict

What happens after we fix it: every table gets policies. Every policy is tested with a script that logs in as a different user and confirms the row is not returned. No guessing. 94% of apps we audit have no RLS policies.

Where RLS goes wrong in AI-built apps

01
RLS disabled by default
Lovable, Bolt, v0, and Windsurf all create Supabase projects with RLS disabled. They build fast; security is your problem.
02
Any authenticated user reads all rows
Without policies, `SELECT * FROM invoices` returns every invoice in the database regardless of who's logged in.
03
INSERT without ownership
Users can insert rows owned by other users. Common in AI-generated apps that skip the `auth.uid()` check.
04
UPDATE and DELETE without ownership check
A user can update or delete records that belong to another user. We've seen this in every production audit.
05
Service role key in the client bundle
AI tools sometimes use the service role key in frontend code, bypassing RLS entirely. We find and replace it.
06
Missing storage bucket policies
Supabase Storage buckets have their own RLS. AI-generated apps almost never set them.
07
Policies that look correct but aren't
A policy that selects `user_id = auth.uid()` but was written before the auth.uid() extension was enabled does nothing.
FAQ
What is Supabase RLS?
Row-Level Security (RLS) is a PostgreSQL feature that controls which rows a user can read, write, update, or delete. Without it, every authenticated user sees every row in your database.
Does my app have RLS enabled?
Probably not. AI-generated apps almost never enable it. You can check in the Supabase dashboard under Table Editor → [table] → RLS. If it says 'RLS disabled', every authenticated user can read every row.
Can I just enable RLS and be done?
No — enabling RLS without writing policies locks everyone out. The policies define which rows each user is allowed to see. We write and test those policies.
How long does an RLS audit take?
48 hours for the written report. Fix work depends on the number of tables. Most apps with 8–15 tables take 2–3 days to fully secure.
What does the fix cost?
The initial audit is free. Fix work is included in our Security Audit package ($499) for apps up to 20 tables.
Will enabling RLS break my app?
Potentially yes if done wrong — that's why we do it carefully. We stage the change, test with real user tokens, and verify before going live.
Next step

Get a free RLS audit

We audit your Supabase schema, identify every unprotected table, and send you a written report within 48 hours. No cost, no commitment.

Book free diagnostic →