Security//RLS

2026-03-15

Database-level lock. Every row has an owner (`user_id`). RLS ensures only that owner can see it — even if the code has a bug that requests "give me all contacts" without filtering, the DB says "no, you're Carmen, you only get yours."

Database-level lock. Every row has an owner (user_id). RLS ensures only that owner can see it — even if the code has a bug that requests "give me all contacts" without filtering, the DB says "no, you're Carmen, you only get yours."

Second layer of security: even if the first one fails (a backend bug, a badly protected endpoint), the DB holds. Malicious code can push, but the database won't release another user's data.

In Supabase: enabled per table. Each table has policies like SELECT only if auth.uid() = user_id. Supabase connects this to its OAuth system — the session token identifies the user, and RLS filters automatically.

Without RLS, security depends 100% on your code filtering correctly. With RLS, the DB is the last line of defense. The difference between "I trust I locked the door" and "the door locks itself."