Fix guide · high · pocketbase_list_rule_blank
Pocketbase collection records readable without authentication
Your Pocketbase collection's /api/collections/<name>/records endpoint returned records when called without a session header. The collection's List rule is blank — which in Pocketbase means open, not closed.
Why it matters
This is the most common Pocketbase mistake, especially among devs coming from Supabase. In Supabase, blank policies + RLS enabled means denied. In Pocketbase, blank rules mean public access. Every record in the collection is now enumerable by anyone with the deployment URL.
How to fix it
Set a List rule on the collection. In the Admin UI → Collections → your-collection → API Rules → List rule:
For ownership-shaped data (user owns the record):
@request.auth.id != "" && user.id = @request.auth.idFor "any logged-in user can read":
@request.auth.id != ""For "everyone can read public records, owner can read everything":
is_public = true || (@request.auth.id != "" && user.id = @request.auth.id)Apply the same logic to the View, Create, Update, and Delete rules — Pocketbase has all five slots, and each one is independently blank-as-open.
Full guide: /blog/pocketbase-security.
Did vibecheck flag this on your app?
If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.
Run another inspection