Why Your Supabase Data Is Exposed (And You Don’t Know It) The four RLS mistakes that silently leak production data — and how to verify your policies actually work. In January 2025, security researchers found over 170 apps built with Lovable had exposed databases. Every user’s data — emails, messages, private records — was publicly readable by anyone with the project URL and the anonymous key. The anonymous key is embedded in every Supabase client-side app. It’s meant to be public. The cause wasn’t a Supabase bug. It was missing Row Level Security. If you’re building on Supabase, RLS is not optional. Any table without it is publicly readable and writable by anyone who can reach your API. This post covers the four RLS mistakes that silently expose data — including the one that’s counterintuitive — and how to verify your policies actually do what you think they do.…