Supabase CISO Bill Harmer and Security Engineer Etienne Stalmans explain how Supabase embeds security at the database layer rather than bolting it on afterward. Key practices include Row Level Security (RLS) to control data access per user, continuous policy testing with pgTAP, and a simple anonymous-vs-authenticated access model. They also warn about AI-generated code silently removing security checks when prompted to 'just make it work.'
Table of contents
Security starts with the dataBuilding with first principlesAnonymous or authenticatedRow Level Security is non-negotiableTesting your policies with pgTAPSecurity that scales“Just make it work” the dangerous promptBuilding securely by defaultSort: