diff --git a/prisma/migrations/20260225194600_enable_rls/migration.sql b/prisma/migrations/20260225194600_enable_rls/migration.sql
new file mode 100644
index 0000000..1aab787
--- /dev/null
+++ b/prisma/migrations/20260225194600_enable_rls/migration.sql
@@ -0,0 +1,17 @@
+-- Enable Row Level Security on all tables.
+-- The app connects via the postgres superuser (Prisma) which bypasses RLS,
+-- so existing behaviour is unchanged. This locks out Supabase's anon/
+-- authenticated roles from accessing tables directly via the REST API.
+
+ALTER TABLE "User" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Account" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Session" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "VerificationToken" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Category" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Resource" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Tag" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Like" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Comment" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Submission" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "_ResourceToTag" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "_AuthoredBy" ENABLE ROW LEVEL SECURITY;
diff --git a/prisma/migrations/20260225195338_enable_rls_prisma_migrations/migration.sql b/prisma/migrations/20260225195338_enable_rls_prisma_migrations/migration.sql
new file mode 100644
index 0000000..cb12abc
--- /dev/null
+++ b/prisma/migrations/20260225195338_enable_rls_prisma_migrations/migration.sql
@@ -0,0 +1,3 @@
+-- Enable RLS on Prisma's own migrations table.
+-- The postgres superuser bypasses RLS so migrate deploy continues to work.
+ALTER TABLE "_prisma_migrations" ENABLE ROW LEVEL SECURITY;