Supabase launch checklist — ship without leaking data
Twenty-item checklist before your Supabase-backed app hits real users. RLS policies, bucket permissions, function auth, service-role hygiene.
For: Anyone shipping a Supabase-backed app
Row-Level Security
- RLS enabled on every table in the `public` schemacritical
- Default-deny policy added to every table
- Explicit allow policies scoped by auth.uid + tenant
- Policies tested for all four verbs (select/insert/update/delete)
Keys + roles
- Service-role key never in client codecritical
- Service-role key rotated if ever shared more broadly than needed
- `anon` role grants audited (no accidental read/write on private tables)
- `authenticated` role grants match your app's intent
Storage
- All storage buckets private by defaultcritical
- Storage RLS policies match your intended access model
- Downloads use signed URLs, not public URLs
- Uploads validate content-type via magic bytes
Edge functions
- Every Edge Function verifies the caller
- CORS restricted to your origins
- Secrets stored in function-level vars, not hardcoded
Auth flows
- Password reset uses Supabase's built-in token
- Magic-link emails send from verified domain
- JWT secret not exposed via auth.jwt_secret to anon
Scan
- Run the free scanner at /signupcritical
- Install Securie on the GitHub repo for ongoing checks