Security guidelines
Service key rules, RLS guidance, rate limiting, and SSR state-management safety.
1 min read
Rules (non-negotiable)
- NEVER use the service client in client-side code.
- NEVER expose SUPABASE_SERVICE_ROLE_KEY to the client.
- Use RLS policies for data access control.
- Always use the appropriate client for the context:
- Browser Client: Public data only
- RLS Client: Authenticated user data
- Service Client: Admin operations
- Configure rate limiting in backend/middlewares/rateLimit.ts and backend/config/GlobalConfig.ts.
SSR state management security
- NEVER import or use authenticationRepository in any +page.server.ts or +layout.server.ts files.
- NEVER mutate shared state (singletons with mutable state) in server load functions.
- ALWAYS set export const ssr = false; for protected routes (user-specific data).
- ONLY enable SSR (export const ssr = true;) for public routes that don’t use shared mutable state.
- If you need auth info in SSR routes, use cookies/request context instead of shared state.
// ✅ SAFE: Use cookies for server-side auth
export const ssr = true;
export async function load({ cookies }) {
const accessToken = cookies.get('access_token');
// Use token to fetch user data per-request
}
// ❌ UNSAFE: Never do this in server code
import { authenticationRepository } from '$lib/user-auth/index';
await authenticationRepository.checkAuth(); // Shared state - security risk!