Your Supabase RLS Is Probably Wrong: A Security Guide for Vibe Coders

You built your app with Lovable, Cursor, or Bolt. You connected Supabase. You enabled Row Level Security because the docs said to. Your RLS is probably wrong. I have scanned dozens of vibe-coded apps this month. The same RLS mistake appears in roughly 80% of them. The app works perfectly. Every feature functions. Users can sign up, create data, view their data. And every user can also view every other user's data. The mistake Here is what AI-generated RLS policies typically look like: CREATE POLICY "Users can view data" ON public . user_data FOR SELECT USING ( auth . role () = 'authenticated' ); This policy says: if you are logged in, you can read all rows. Every row. Every user's data. Here is what it should say: CREATE POLICY "Users can view their own data" ON public . user_data FOR SELECT USING ( auth . uid () = user_id ); The difference is one function call. auth.role() checks if someone is logged in. auth.uid() checks if the logged-in user owns that specific row. One character of