Cursor + Supabase pre-launch security checklist
Cursor will happily write the same auth + RLS pattern across every table you touch — for better or worse. Set the baseline correct on the first table, then audit the rest with this checklist before launch.
12 checks
Tick through each one
Click any item to open the detailed fix guide. The detector tag shows which scanner module flips the state pass or fail when you run a SafeToShip scan.
RLS enabled on every public schema table
CriticalDetector: supabase
No table relies on default-deny without explicit policies
HighDetector: supabase
Service role used only in route handlers + cron
CriticalDetector: js-secrets
Anon key in client; service role NEVER in client
CriticalDetector: js-secrets
.env files not deployed
CriticalDetector: exposed-files
/api/* CORS allowlists production origins
HighDetector: cors
CSP includes only necessary origins
HighDetector: headers
HSTS set at deploy host
HighDetector: headers
Auth cookies Secure + HttpOnly + SameSite=Lax
HighDetector: cookies
Storage buckets have explicit policies
HighDetector: supabase
Valid TLS, no mixed content
HighDetector: ssl
Rate limiting on auth callbacks
MediumDetector: rate-limit
Paste this into Cursor
One prompt that runs the entire checklist as a code review pass.
Audit my Cursor + Supabase project: confirm RLS is enabled on every public table with explicit policies, refactor any client code using the service_role JWT to use the anon key + RLS, route admin actions through server-side handlers that import a server-only Supabase client, prevent .env exposure on the deployed URL, allowlist /api/* CORS origins, set CSP/HSTS at the deploy host, set Secure+HttpOnly+SameSite=Lax on auth cookies, lock down Storage buckets with explicit per-object rules, confirm TLS validity, and add rate limiting on auth callbacks.FAQ
Frequently asked questions
- How do I get Cursor to write good RLS policies for me?
- Show it one good example. Open a file with a working RLS policy, ask Cursor: "Apply this same ownership pattern to every table in my schema." It works much better with a concrete reference than an abstract description.
- What if some tables genuinely need to be public?
- Add explicit `USING (true)` policies for those tables, with a code comment explaining why. Default-allow without RLS is dangerous; explicit allow with a paper trail is fine.
Per-issue depth
Fix guides for this checklist
Supabase RLS disabled
A Supabase table without RLS is readable (and often writable) by anyone with your anon key. Here is exactly how to turn on RLS and write your first policy.
Read moreExposed Supabase service key
The service role key bypasses all security in Supabase. If it is in your client code, an attacker has full database access. Here is how to find and fix it.
Read moreCORS allows all origins
An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.
Read moreRun the scan to confirm each check
60 seconds. Free. No account required.