惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
博客园 - 三生石上(FineUI控件)
S
Securelist
U
Unit 42
The Cloudflare Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Simon Willison's Weblog
Simon Willison's Weblog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog
T
Tenable Blog
The Hacker News
The Hacker News
The Register - Security
The Register - Security
IT之家
IT之家
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Privacy & Cybersecurity Law Blog
博客园_首页
T
Tailwind CSS Blog
人人都是产品经理
人人都是产品经理
C
Cybersecurity and Infrastructure Security Agency CISA
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
T
Tor Project blog
C
CERT Recently Published Vulnerability Notes
Apple Machine Learning Research
Apple Machine Learning Research
Stack Overflow Blog
Stack Overflow Blog
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
A
Arctic Wolf
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
aimingoo的专栏
aimingoo的专栏
大猫的无限游戏
大猫的无限游戏
Scott Helme
Scott Helme
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
V
Visual Studio Blog
月光博客
月光博客
爱范儿
爱范儿
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Supabase Blog

AI Agents Know About Supabase. They Don't Always Use It Right. Custom OIDC Providers for Supabase Auth 100,000 GitHub stars Supabase docs over SSH Navigating Regional Network Blocks Supabase Joins the Stripe Projects Developer Preview Log Drains: Now available on Pro Supabase Storage: major performance, security, and reliability updates Supabase incident on February 12, 2026 Hydra joins Supabase X / Twitter OAuth 2.0 is now available for Supabase Auth BKND joins Supabase Supabase is now an official Claude connector Supabase PrivateLink is now available Introducing: Postgres Best Practices When to use Read Replicas vs. bigger compute Introducing TRAE SOLO integration with Supabase Supabase Security Retro: 2025 Sync Stripe Data to Your Supabase Database in One Click Building ChatGPT Apps with Supabase Edge Functions and mcp-use Own Your Observability: Supabase Metrics API Introducing iceberg-js: A JavaScript Client for Apache Iceberg Introducing Supabase for Platforms Adding Async Streaming to Postgres Foreign Data Wrappers Build "Sign in with Your App" using Supabase Auth Introducing Seven New Email Templates for Supabase Auth The new Supabase power for Kiro Introducing Supabase ETL Introducing Analytics Buckets Introducing Vector Buckets Snap, Inc. Launches Snap Cloud, Powered by Supabase Triplit joins Supabase Supabase Series E 1000 Y Combinator Founders Choose Supabase gm 👋 web3, welcome aboard to Sign in with Web3 (Solana, Ethereum) Announcing the Supabase Remote MCP Server Enterprise speed, enterprise standards with Bolt Cloud + Supabase PostgREST 13 Lovable Cloud + Supabase: The Default Platform for AI Builders Processing large jobs with Edge Functions, Cron, and Queues Defense in Depth for MCP Servers OrioleDB Patent: now freely available to the Postgres community Supabase Launch Week 15 Hackathon Winner Announcement The Vibe Coder's Guide to Supabase Environments Testing for Vibe Coders: From Zero to Production Confidence The Vibe Coding Master Checklist Vibe Coding: Best Practices for Prompting Supabase Auth: Build vs. Buy Top 10 Launches of Launch Week 15 Supabase Launch Week 15 Hackathon Storage: 10x Larger Uploads, 3x Cheaper Cached Egress, and 2x Egress Quota Persistent Storage and 97% Faster Cold Starts for Edge Functions Algolia Connector for Supabase New Observability Features in Supabase Improved Security Controls and A New Home for Security Introducing Branching 2.0 Stripe-To-Postgres Sync Engine as standalone Library Supabase Analytics Buckets with Iceberg Support Create a Supabase backend using Figma Make Introducing JWT Signing Keys Supabase UI: Platform Kit Build a Personalized AI Assistant with Postgres Announcing Multigres: Vitess for Postgres Building on open table formats Open Data Standards: Postgres, OTel, and Iceberg Simplifying back-end complexity with Supabase Data APIs PostgreSQL Event Triggers without superuser access Top 10 Launches of Launch Week 14 Supabase MCP Server Data API Routes to Nearest Read Replica Declarative Schemas for Simpler Database Management Realtime: Broadcast from Database Keeping Tabs on What's New in Supabase Studio Edge Functions: Deploy from the Dashboard + Deno 2.1 Automatic Embeddings in Postgres Introducing the Supabase UI Library Supabase Auth: Bring Your Own Clerk Postgres Language Server: Initial Release Migrating from Fauna to Supabase Migrating from the MongoDB Data API to Supabase Dedicated Poolers Postgres as a Graph Database: (Ab)using pgRouting AI Hackathon at Y Combinator Calendars in Postgres using Foreign Data Wrappers Supabase Launch Week 13 Hackathon Winners How to Hack the Base! Running Durable Workflows in Postgres using DBOS database.build v2: Bring-your-own-LLM Restore to a New Project Hack the Base! with Supabase Top 10 Launches of Launch Week 13 Supabase Queues High Performance Disk Supabase Cron Supabase CLI v2: Config as Code Supabase Edge Functions: Introducing Background Tasks, Ephemeral Storage, and WebSockets Supabase AI Assistant v2 OrioleDB Public Alpha Executing Dynamic JavaScript Code on Supabase with Edge Functions ClickHouse Partnership, improved Postgres Replication, and Disk Management
Supabase Security Suite
Paul Copplestone · 2024-07-11 · via Supabase Blog

Supabase Security Suite

Over the past 3 months, the team has been focused on security, performance, and stability. This is always part of our mandate, but for this period we have been exclusively focused on this task.

And we haven't been alone with security. @xyzeva (Eva), a rising star in the world of security, has been instrumental in the past 3 months - everything from discovering misconfigured projects to collaborating on fixes and features.

This post outlines the key initiatives that we have collaborated on and a few more in the pipeline.

Eva and her colleagues are the authors of Firewreck, which exposed the misconfiguration of Firebase instances. This HN comment highlights the key challenges for Firebase (paraphrased):

.. First, security rules as implemented by Firebase are still a novel concept.

.. Second, without the security of obscurity created by random in-house implementations of backends, scanning en masse becomes easier.

.. Finally, security rules are just hard.

And then an important technical distinction:

Technically there is nothing wrong with the Firebase approach but ... it opens itself up to misunderstanding, improper use, and issues like this.

Security is a Shared Responsibility Model. The more control you are given with a technology, the more opportunity you have to make a mistake.

We believe that we can give developers full control of their tools, while also being the most secure platform to develop with. How?

  • By providing security tooling, baked deeply into our platform.
  • By leaning into existing standards like Postgres Row Level Security (RLS), instead of using custom systems.

This post consolidates the tools and guides that we have available for the community.

Lunchcat#

Eva has added support for Supabase in Lunchcat, the AI-Powered security company she works for. Parts of this tooling is available for self-hosting today, and will be available as an integration once their platform is publicly available.

Security Advisor#

We launched our Security Advisor in the last Launch Week. Eva was a big contributor to this, helping to set up a robust set of security rules. These rules are available in the Dashboard, many with one-click solutions.

Security emails and notifications#

The security rules in our Security Advisor are run against all of your projects and project owners now receive weekly emails with a list of security issues that need to be solved. Since all of the advisories are open source, you can also use them inside your CI/CD pipeline.

Disabling the default Data API#

We have made it even easier to turn off the Data API if you don’t plan to use it. When you launch a project you can choose whether you want to create it with only Postgres connections, or if you also want the Data API. You can also turn off the Data API at any time in your project settings.

API hardening#

We have made it simple to switch the default schema from public to api in the API Settings page. We have also released a guide for Hardening the Data API, outlining various approaches for using the Data API. It’s very likely that we will make this the default set up in the future to align with PostgREST’s Schema Isolation guide.

Column level security#

We’ve added guides and a simple-to-use dashboard for column-level grants. This allows you to manage Postgres grants for every role (including the default Supabase anon and service_role). Combining this with RLS gives you extremely fine-grained control of your database.

User impersonation#

We have added User/Role impersonation to the Dashboard. You can use this to switch between anonymous and authenticated roles, or even go as deep as selecting an individual user (if you use Supabase Auth) to see the level of data that they use.

RLS AI Assistant#

RLS policies are even easier with our new GPT-4o powered AI Assistant. We want Row Level Security to be easier than any other security tool on the market. We have added a ton of tests to ensure that we have the most accurate Postgres RLS assistant available, for free.

Network Restrictions#

You can restrict access to your database at the network level for any direct access to your database. This is especially useful when you’re getting started and only want to give direct access to your own IP address.

And more#

Our docs are full of best practices and useful info:

Since we see a few common complaints about Row Level Security, we figured we would address them.

  • “It’s unsafe to communicate from the browser directly to the database.”

    The Database-centric approach is a three-tier architecture, the same as any other tool like NodeJs, Django, or RoR. The key difference is that you write your security rules in the SQL. It is also a different “workflow” from a three-tier approach, where traditionally you write authorization rules as part of your middleware rather than when you are setting up your database.

    Supabase is agnostic which approach you take. If SQL makes you uncomfortable, you can use the Postgres server we provide just like any other Postgres service.

  • “I turned off RLS while prototyping.”

    By default, Supabase enables RLS for all tables created via the dashboard. Some developers disable this while they are prototyping which is not recommended. The best way to solve this is to use our CLI for Local Development. The CLI provides the entire Supabase stack, directly on your local development machine.

  • "I forgot to enable RLS."

    Our dashboard has copious warnings when you have disabled RLS for any table. We also surface this in the Security Advisor, warnings via email and dashboard notifications.

That said, there are some legitimate difficulties with RLS - it’s not a silver bullet by any means. We are planning a lot more tooling to make this easier for Postgres and Supabase developers.

This is just the beginning of our tooling efforts, with many more ideas in the pipeline. We have hired dedicated security engineers to continue working on these initiatives, including:

  • Improved Security Advisor

    As we continue to discover misconfigurations and potential vulnerabilities we will continue to improve the suite of security rules that we enable across our entire fleet of database.

  • Network restrictions 2.0

    Networking should be as easy as using the database in Supabase. We’ve got a tonne of plans for this: network peering, Tailscale integration, better API Key management, fine-grained restrictions for each service and project scoped roles.

  • OpenAPI management

    We will be giving developers the ability to control the visibility of the OpenAPI spec based on the Postgres roles and grants. This provides some level of security through obscurity.

  • Development on "Hard mode"

    Not all projects are alike. While some require extremely strict levels of access, others can be a bit more relaxed. This is explained in our Maturity Models framework. We are brainstorming ways to codify this, so that developers can “turn up” the enforced security levels on their projects, restricting what developers can and cannot do.

  • CI/CD warnings

    We will be adding the Security Advisories into our CLI for first-class support within GitHub Actions and CI/CD pipelines. Combined with Branching, this prevents security misconfigurations before they ever reach production.

  • Revamped API keys

    Soon we will be replacing the anon and service_role API keys with a simpler public and admin key. This new setup will be conceptually similar, but will allow developers to create more fine-grained authorization rules and allow them to roll individual keys in case of a leak.

Eva approached us during our last Launch Week. While she was helping us with the Security Advisor she discovered a misconfiguration in one of our own applications using Supabase with Lunchcat. We were able to solve this quickly by toggling off read access to the anon role and scanning the access logs to ensure no malicious actors had accessed the data.

At the time, we didn’t have the Security Advisor to help the developer discover the misconfiguration before publishing. The Supabase Security suite is being developed to prevent this ever occurring again - for us and for our customers.

But no platform is infallible: when tooling doesn’t work, we rely on our community to help discover and responsibly disclose any vulnerabilities. We are launching a private Vulnerability Disclosure Program today with HackerOne. We commit to transitioning to a public disclosure program in a month, once we iron out the initial kinks. If you cannot wait till then, use our secret link submit a report.

If you find any misconfigured projects, please let us know. We will work with those customers to ensure that they know about the issue and can solve it. If you are a security professional, we welcome your help to secure the Supabase community.