RLS disabled in public - Database linter error #26584
-
Hi there, We suddenly received an email from Supabase Security Advisor, warning about tables in the The doc says:
We tried to read about this, and feel like this is not totally accurate. We don't use Supabase's API, we only use Supabase from our server. Thus our users query our server, which connects to the database through the database string. Thus we haven't broadcast the API key anywhere. Do you confirm our understanding, that if we haven't published any API key, then it is safe to keep RLS disabled on the If so, I think the doc should be updated. In any case, would it be safe to remove Thanks in advance for the help! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
If you never show your anon key in public or use it on a client then you can get by without RLS enabled. If you remove public from the API it should only impact PostgREST (REST clients) access to the db. As far as feedback to Supabase, not sure they will see it here. An issue in supabase/splinter would be best approach. |
Beta Was this translation helpful? Give feedback.
If you never show your anon key in public or use it on a client then you can get by without RLS enabled. If you remove public from the API it should only impact PostgREST (REST clients) access to the db.
As far as feedback to Supabase, not sure they will see it here. An issue in supabase/splinter would be best approach.