alt Hacker NewsI don't understand this. In supabase, the default is to turn on RLS for new tables. If you turn it on and have no policy set, no user can fetch anything from the table.
You have to explicitly create a read-all policy for anon keys, and with no constraints, for people to get access to it.
The default is secure.
If you turn off RLS, there are warnings everywhere that the table is unsecured.
The author goes on to compare this with PocketBase, which he says you "have to go out of your way" to make insecure. You have to go out of your way with Supabase, as well!
I wonder if the author tested this? I do agree that some third party website builders who use supabase on the back end could have created insecure defaults, but that's not supabase's fault.
Replies
The situation is more nuanced than your comment implies, and a lot of this due to direct product decisions from the Supabase team themselves: https://github.com/orgs/supabase/discussions/4547
The tldr is that Supabase makes this less secure by default because Security is Hard and they don’t want to scare off new users
Ok, we've added "if you turn off RLS" to make the title less misleading. It's still too baity a title for HN, but at least less egregious.
Submitters: baity and misleading titles are against the site guidelines, so please don't post them here.
https://news.ycombinator.com/newsguidelines.html