Supabase RLS Security Audit: Fixing SECURITY DEFINER Vulnerabilities Across 3 Production Projects

After discovering privilege escalation risks in our multi-tenant Supabase setup, we conducted a comprehensive security audit across Load Bearing Empire's three production databases. We found critical gaps in Row Level Security (RLS) policies, unsafe SECURITY DEFINER function implementations, and mutable search_path configurations that could allow unauthorized data access. This article covers the specific vulnerabilities we identified, how we migrated functions to SECURITY INVOKER, hardened our RLS policies, and implemented automated security checks using pg_cron—with code examples from our real infrastructure powering real estate wholesaling, demolition, valet, and structural engineering SaaS products.