Supabase security and performance guidelines with Clerk authentication integration. Contains 40+ rules across 10 categories covering RLS policies, Clerk setup, database security, and more.
Comprehensive security and performance optimization guide for Supabase applications with Clerk authentication integration. Contains 40+ rules across 10 categories, prioritized by impact to guide secure development and code review.
Reference these guidelines when:
| Priority | Category | Impact | Prefix |
|---|---|---|---|
| 1 | Row Level Security | CRITICAL | rls- |
| 2 | Clerk Integration | CRITICAL | clerk- |
| 3 | Database Security | HIGH | db- |
| 4 | Authentication Patterns | HIGH | auth- |
| 5 | API Security | HIGH | api- |
| 6 | Storage Security | MEDIUM-HIGH | storage- |
| 7 | Realtime Security | MEDIUM | realtime- |
| 8 | Edge Functions | MEDIUM | edge- |
| 9 | Testing | MEDIUM | test- |
| 10 | Security | MEDIUM | security- |
rls-always-enable - Always enable RLS on public schema tablesrls-wrap-functions-select - Wrap auth functions with (SELECT ...) for performancerls-add-indexes - Add indexes on columns used in RLS policiesrls-specify-roles - Specify roles with TO authenticated clauserls-security-definer - Use SECURITY DEFINER functions for complex policiesrls-minimize-joins - Minimize joins in RLS policiesrls-explicit-auth-check - Use explicit auth.uid() checksrls-restrictive-policies - Use RESTRICTIVE policies for additional constraintsclerk-setup-third-party - Use Third-Party Auth integration (not JWT templates)clerk-client-server-side - Use accessToken callback for server-side clientsclerk-client-client-side - Use useSession() hook for client-side clientsclerk-role-claim - Configure role: authenticated claim in Clerkclerk-org-policies - Use organization claims for multi-tenant RLSclerk-mfa-policies - Enforce MFA with RESTRICTIVE policiesclerk-no-jwt-templates - Never use deprecated JWT template integrationdb-migrations-versioned - Use versioned migrations for schema changesdb-schema-design - Follow proper schema design patternsdb-indexes-strategy - Implement proper indexing strategydb-foreign-keys - Always use foreign key constraintsdb-triggers-security - Secure trigger functions properlydb-views-security-invoker - Use SECURITY INVOKER for viewsauth-jwt-claims-validation - Always validate JWT claimsauth-user-metadata-safety - Treat user_metadata as untrustedauth-app-metadata-authorization - Use app_metadata for authorizationauth-session-management - Implement proper session managementapi-filter-queries - Always filter queries even with RLSapi-publishable-keys - Use publishable keys correctlyapi-service-role-server-only - Never expose service role key to clientstorage-rls-policies - Enable RLS on storage.objectsstorage-bucket-security - Configure bucket-level securitystorage-signed-urls - Use signed URLs for private filesrealtime-private-channels - Use private channels for sensitive datarealtime-rls-authorization - RLS policies apply to realtimerealtime-cleanup-subscriptions - Clean up subscriptions on unmountedge-verify-jwt - Always verify JWT in edge functionsedge-cors-handling - Handle CORS properlyedge-secrets-management - Use secrets for sensitive datatest-pgtap-rls - Test RLS policies with pgTAPtest-isolation - Isolate tests properlytest-helpers - Use test helper functionssecurity-validate-inputs - Validate all inputs before processingsecurity-audit-advisors - Regularly run Security Advisor checksRead individual rule files for detailed explanations and code examples:
references/rules/rls-always-enable.md
references/rules/clerk-setup-third-party.md
references/rules/_sections.md
Each rule file contains:
For the complete guide with all rules expanded: references/supabase-guidelines.md