Today we are launching the foundations of several security features we plan to build on in the upcoming months.
- Centralized security docs
- Organization‑wide security settings in the Dashboard
Centralized Security Docs
Supabase offers a robust set of security controls, but discovering and configuring them can feel daunting. Our new security documentation brings everything into one place - from product features like Auth Rate Limits and Vault to step‑by‑step guides on building secure applications with Supabase (Row‑Level Security, hardening the Data API, the Production Checklist, and more).
We’ve also published dedicated SOC 2 and HIPAA guides that explain how to achieve these compliance standards on Supabase and answer common questions.
Enforce MFA in Organization Security Settings
The first setting we are launching in the organization‑wide security settings page in the Dashboard is the ability to enforce Multi‑Factor Authentication (MFA) for every member of a Supabase Organization. Once enabled, all members must have MFA configured to access any project or resource in that org.
With MFA enforcement enabled, all members of your organization must use multi-factor authentication to access any project or resource. If a member hasn’t enabled MFA, they will immediately lose access until they do. New organization members will be able to accept invitations to an MFA enforced organization, but will not be able to interact with the organization until they have enabled MFA.
This setting is only available to Organization Owners, and the owner must have MFA enabled on their own account. We recommend setting up two separate MFA apps as a backup.
A few notes:
- Only available on Pro, Team, and Enterprise plans.
- Personal Access Tokens (PATs) are not affected by this setting.
You can toggle on this setting in the new Security tab of your organization settings.
Supabase Realtime - Enable Private Channels Only
You can now set Realtime to use only private channels using Realtime Authorization. If you toggle off the Allow public access setting, no public channels can be created. Only clients authorized via Realtime Authorization, can listen to and send messages.
This settings page is under a feature preview and you can enable it here. Once the feature preview is enabled, you can configure this setting in the new Realtime Settings page. While you are there, you can also tune the connection pool size that Realtime uses and the maximum concurrent clients.
Security and Performance Advisors - Disable Specific Rules
We received feedback from users that not all security and performance advisor rules apply to their project. Supabase powers everything from backend‑only APIs to full‑stack apps and some Security and Performance advisors may not be applicable for everyone. For example, the RLS Disabled in Public rule may not apply if you only access Supabase from a secure context like a web server.
You can now customize Security Advisor rules and disable rules which are not relevant to your project. We will be extending rule customization to include rule assignment and more fine grained filtering.
This is currently under a feature preview and you can enable it here. Once enabled, rules can be managed through the new configuration section.
What comes next?
This release is the first building block in our security roadmap across the Supabase platform, including user auth, network isolation, compliance tooling, and automated remediation.
Here’s what's in progress:
Stronger Authentication and Access Control
- YubiKey and hardware key MFA support to complement Time-based One-Time Password (TOTP) flow.
- We have already announced that project scoped roles are available on the Team plan, and now we are working to bring custom roles to our Enterprise plan. This will allow organizations to define custom, fine grained roles, limiting the actions and resources users have access to.
Security Enforcement
- Assigning Security Advisories to team members in your org.
- Furthermore, we are extending our project scoped controls to allow automatically enforcing compliance controls on sensitive projects.
- Supporting additional compliance standards, alongside our existing SOC 2 and HIPAA controls.
Enterprise Connectivity
- Self-service SSO for Supabase Organizations: Enterprise teams looking to enforce SSO sign-on will be able to self-serve via Supabase Dashboard and will no longer need to submit a support ticket.
- Supabase PrivateLink provides enterprise-grade private network connectivity between your AWS VPC and your Supabase database using AWS VPC Lattice. This is currently in Private Alpha and available to our Enterprise customers.
Our goal is to provide you with the best suite of security tools you need to deploy your production apps on Supabase with confidence.