📝 Written ● Beginner Updated 2026-06-02

How do I find security & performance issues in my backend?

TL;DR: In the console (lingcode.dev/backends → Database) click Advisors. It scans your backend's schema and flags security issues (a table with row-level security off, policies that exist while RLS is disabled, functions with a mutable search_path) and performance ones (no primary key, duplicate indexes, multiple permissive policies, unindexed foreign keys) — each with a fix. Re-run after changes; the green "no issues" state means the dangerous stuff is handled.

The scariest bugs in a backend aren't loud — they're the table you forgot to put row-level security on, quietly readable by anyone with the public key. Advisors is a one-click scan that surfaces exactly that class of problem (plus the slow-query kind) before a user finds it for you. Think of it as a linter for your database.

This applies to a managed backend. Advisors reads your schema (it never changes anything) and reports findings grouped by Security and Performance, ordered worst-first. It pairs with the RLS policy templates: templates help you apply safe access rules; Advisors tells you where you forgot to.

What it checks

Security

RLS disabled (error) — a table has row-level security off, so every row is readable/writable by anyone with the anon key. Fix: enable RLS and add a policy (use the templates).
Policies exist but RLS is off (error) — you wrote policies, but they do nothing because RLS isn't enabled. Fix: ALTER TABLE … ENABLE ROW LEVEL SECURITY;
Mutable function search_path (warn) — a function without a pinned search_path can be hijacked. Fix: SET search_path = '' in the function.

Performance

No primary key — row updates/deletes and realtime tracking work better with one.
Duplicate index — identical indexes waste space and slow writes; drop all but one.
Multiple permissive policies — several permissive policies for the same role+action all run on every query; combine them.
Unindexed foreign key — joins and cascade deletes scan the whole table; add an index on the FK column(s).

Run it, fix it, re-run

Open lingcode.dev/backends → Database → Advisors. Read the findings worst-first.
Fix the errors first — usually "enable RLS + add a policy." You can apply a policy from the templates, or ask the agent ("turn on RLS for notes so each user only sees their own rows").
Click Advisors again — a resolved issue drops off the list. The goal is no errors; warnings and info are judgment calls.

The one that matters most

If you read nothing else: an RLS-disabled table on a backend reachable by a public anon key is a data leak waiting to happen. Advisors flags it as an error for a reason — fix those before you ship. The managed backend gives every project RLS-capable Postgres; Advisors makes sure you actually used it.

How do I find security & performance issues in my backend?

What it checks

Run it, fix it, re-run

The one that matters most

What's next

Connect a managed backend

Require MFA

Semantic & hybrid search