react-doctor/supabase-table-missing-rls
Supabase table created without Row Level Security
- Category: Security
- Severity: error
- Source:
oxlint-plugin-react-doctor - Framework: global
- Enabled when: always
- Tags: security-scan
- Default: Enabled
Validation prompt
Use this to decide whether a fired diagnostic is real or a false positive.
Confirm the reported code matches Supabase table created without Row Level Security. Check the framework context and diagnostic message before suppressing it.
Fix prompt
Use this once validation confirms the diagnostic is real.
Enable RLS in the same migration (alter table <name> enable row level security;) and add auth.uid()-scoped policies for select/insert/update/delete. A public table without RLS is fully readable and writable with the public anon key.
Related rules
More Security rules from the rules reference:
react-doctor/svg-filter-clickjacking-risk: Applying CSS or SVG filters over a cross-origin iframe can be used for clickjacking or to read pixels from framed content the attacker should not see.react-doctor/tanstack-start-get-mutation: Use `createServerFn({ method: 'POST' })` for data modifications — GET requests can be triggered by prefetching and are vulnerable to CSRFreact-doctor/tanstack-start-no-secrets-in-loader: Loaders are isomorphic (run on both server and client). Wrap secret access in `createServerFn()` so it stays server-onlyreact-doctor/tenant-static-proxy-risk: Building an asset path from a client-supplied tenant, subdomain, or workspace value lets one tenant read another tenant's files.react-doctor/unsafe-json-in-html: Unescaped JSON in HTML or script sink