Fix guide · high · supabase_anon_only_no_rls

Supabase tables readable without authentication

What this rule means

Your Supabase tables responded 200 to an unauthenticated request with the anon key. Row-Level Security is either disabled or set to a permissive policy.

Why it matters

The anon key is *meant* to be public. RLS is what stops the anon key from reading your data. Without RLS, anyone who finds the anon key in your bundle can run SELECT * against every table.

How to fix it

  1. Enable RLS on every table: ALTER TABLE public.<name> ENABLE ROW LEVEL SECURITY;
  2. Write policies scoped to ownership.
  3. Run vibecheck with autofix for suggested SQL.
  4. Test from outside with curl using just the anon key.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.

Run another inspection

Related fix guides