supabase-best-practices
Supabase security and performance guidelines with Clerk authentication integration. Contains 40+ rules across 10 categories covering RLS policies, Clerk setup, database security, and more.
Supabase security and performance guidelines with Clerk authentication integration. Contains 40+ rules across 10 categories covering RLS policies, Clerk setup, database security, and more.
Supabase Best Practices
Comprehensive security and performance optimization guide for Supabase applications with Clerk authentication integration. Contains 40+ rules across 10 categories, prioritized by impact to guide secure development and code review.
When to Apply
Reference these guidelines when:
- Setting up a new Supabase project
- Integrating Clerk authentication with Supabase
- Writing Row Level Security (RLS) policies
- Designing database schemas
- Implementing real-time features
- Configuring Storage buckets
- Writing Edge Functions
- Reviewing code for security issues
Rule Categories by Priority
| Priority | Category | Impact | Prefix |
|---|---|---|---|
| 1 | Row Level Security | CRITICAL | rls- |
| 2 | Clerk Integration | CRITICAL | clerk- |
| 3 | Database Security | HIGH | db- |
| 4 | Authentication Patterns | HIGH | auth- |
| 5 | API Security | HIGH | api- |
| 6 | Storage Security | MEDIUM-HIGH | storage- |
| 7 | Realtime Security | MEDIUM | realtime- |
| 8 | Edge Functions | MEDIUM | edge- |
| 9 | Testing | MEDIUM | test- |
| 10 | Security | MEDIUM | security- |
Quick Reference
1. Row Level Security (CRITICAL)
rls-always-enable- Always enable RLS on public schema tablesrls-wrap-functions-select- Wrap auth functions with (SELECT ...) for performancerls-add-indexes- Add indexes on columns used in RLS policiesrls-specify-roles- Specify roles with TO authenticated clauserls-security-definer- Use SECURITY DEFINER functions for complex policiesrls-minimize-joins- Minimize joins in RLS policiesrls-explicit-auth-check- Use explicit auth.uid() checksrls-restrictive-policies- Use RESTRICTIVE policies for additional constraints
2. Clerk Integration (CRITICAL)
clerk-setup-third-party- Use Third-Party Auth integration (not JWT templates)clerk-client-server-side- Use accessToken callback for server-side clientsclerk-client-client-side- Use useSession() hook for client-side clientsclerk-role-claim- Configure role: authenticated claim in Clerkclerk-org-policies- Use organization claims for multi-tenant RLSclerk-mfa-policies- Enforce MFA with RESTRICTIVE policiesclerk-no-jwt-templates- Never use deprecated JWT template integration
3. Database Security (HIGH)
db-migrations-versioned- Use versioned migrations for schema changesdb-schema-design- Follow proper schema design patternsdb-indexes-strategy- Implement proper indexing strategydb-foreign-keys- Always use foreign key constraintsdb-triggers-security- Secure trigger functions properlydb-views-security-invoker- Use SECURITY INVOKER for views
4. Authentication Patterns (HIGH)
auth-jwt-claims-validation- Always validate JWT claimsauth-user-metadata-safety- Treat user_metadata as untrustedauth-app-metadata-authorization- Use app_metadata for authorizationauth-session-management- Implement proper session management
5. API Security (HIGH)
api-filter-queries- Always filter queries even with RLSapi-publishable-keys- Use publishable keys correctlyapi-service-role-server-only- Never expose service role key to client
6. Storage Security (MEDIUM-HIGH)
storage-rls-policies- Enable RLS on storage.objectsstorage-bucket-security- Configure bucket-level securitystorage-signed-urls- Use signed URLs for private files
7. Realtime Security (MEDIUM)
realtime-private-channels- Use private channels for sensitive datarealtime-rls-authorization- RLS policies apply to realtimerealtime-cleanup-subscriptions- Clean up subscriptions on unmount
8. Edge Functions (MEDIUM)
edge-verify-jwt- Always verify JWT in edge functionsedge-cors-handling- Handle CORS properlyedge-secrets-management- Use secrets for sensitive data
9. Testing (MEDIUM)
test-pgtap-rls- Test RLS policies with pgTAPtest-isolation- Isolate tests properlytest-helpers- Use test helper functions
10. Security (MEDIUM)
security-validate-inputs- Validate all inputs before processingsecurity-audit-advisors- Regularly run Security Advisor checks
How to Use
Read individual rule files for detailed explanations and code examples:
references/rules/rls-always-enable.md
references/rules/clerk-setup-third-party.md
references/rules/_sections.md
Each rule file contains:
- Brief explanation of why it matters
- Incorrect code example with explanation
- Correct code example with explanation
- When NOT to use the pattern
- Reference links to official documentation
Full Compiled Document
For the complete guide with all rules expanded: references/supabase-guidelines.md
You Might Also Like
Related Skills
zig-system-calls
Guides using bun.sys for system calls and file I/O in Zig. Use when implementing file operations instead of std.fs or std.posix.
oven-sh
bun-file-io
Use this when you are working on file operations like reading, writing, scanning, or deleting files. It summarizes the preferred file APIs and patterns used in this repo. It also notes when to use filesystem helpers for directories.
anomalyco
vector-index-tuning
Optimize vector index performance for latency, recall, and memory. Use when tuning HNSW parameters, selecting quantization strategies, or scaling vector search infrastructure.
wshobsonsimilarity-search-patterns
Implement efficient similarity search with vector databases. Use when building semantic search, implementing nearest neighbor queries, or optimizing retrieval performance.
wshobsondbt-transformation-patterns
Master dbt (data build tool) for analytics engineering with model organization, testing, documentation, and incremental strategies. Use when building data transformations, creating data models, or implementing analytics engineering best practices.
wshobsonevent-store-design
Design and implement event stores for event-sourced systems. Use when building event sourcing infrastructure, choosing event store technologies, or implementing event persistence patterns.
wshobson