security-supabase
Supabase Security Best Practices
Comprehensive security guide for Supabase projects. Contains rules across 6 categories, prioritized by impact to guide secure configuration, RLS policy design, and authentication patterns.
When to Apply
Reference these guidelines when:
- Writing or reviewing RLS policies
- Configuring Supabase Auth (OAuth, email, sessions)
- Setting up storage bucket policies
- Securing realtime channel subscriptions
- Writing or reviewing edge functions
- Auditing a Supabase project before launch
- Reviewing API exposure and anon key usage
Rule Categories by Priority
| Priority | Category | Impact | Prefix |
|---|---|---|---|
| 1 | Row Level Security | CRITICAL | rls- |
| 2 | Authentication | CRITICAL | auth- |
| 3 | API Exposure | HIGH | api- |
| 4 | Storage Security | HIGH | storage- |
| 5 | Realtime Security | MEDIUM | realtime- |
| 6 | Edge Functions | MEDIUM | edge- |
How to Use
Read individual rule files for detailed explanations and code examples:
references/rls-enable-all-tables.md
references/auth-pkce-flow.md
references/api-anon-key-scope.md
Each rule file contains:
- Brief explanation of why it matters
- Incorrect code example with explanation
- Correct code example with explanation
- Supabase-specific context and gotchas
- Additional references
References
More from elliottrjacobs/bench-skills
product-prd
Write product requirements documents from feature ideas or brainstorm output. Use when the user says "write a PRD", "product requirements", "feature spec", or needs to formalize a product concept into a structured document.
17product-tech-spec
Write technical specifications bridging product requirements and implementation. Use when the user says "tech spec", "technical spec", "architecture doc", "system design", or after writing a PRD and before planning implementation.
11product-naming
Expert naming process for products, companies, and features based on David Placek's methodology. Use when the user says "name this", "brainstorm names", "naming process", or needs to find a name for a product, feature, company, or project.
10knowledge-compound
Document solutions, decisions, and learnings into a searchable knowledge base. Use when the user says "document this", "compound this", "save this solution", "capture this", or after completing significant work that uncovered reusable knowledge.
8security-audit
Deep security audit of codebase with parallel domain-focused agents. Use when the user says "security audit", "check for vulnerabilities", "security review", or before a launch/deployment. More thorough than the security reviewer in /engineer-review.
8engineer-review
Comprehensive multi-agent code review with parallel specialist reviewers. Use when the user says "review this", "code review", "review my PR", provides a PR number or branch, or after completing a /engineer-work cycle.
8