Expected Findings
- Authorization is required; anonymous callers get 401.
- Server filters rows server-side by the caller's identity.
- Filter parameters cannot widen the row set beyond the caller's scope.
Clean Reference
ref-rls (Clean Reference)
Reference Supabase-style profiles endpoint with RLS enforced server-side: callers receive only their own row, regardless of query parameters.
Reference probe
Primary Flows
- Profiles (auth) Returns only the caller's row
- Profiles (anon) 401 without bearer token
- RLS policy Applied policies
Signals
Policy
CREATE POLICY profiles_self ON profiles USING (id = auth.uid())
Notes
- This scenario is a true-negative control.