After developing your project and deciding it's Production Ready, you should run through this checklist to ensure that your project:
- is secure
- won't falter under the expected load
- remains available whilst in production
- Ensure RLS is enabled
- Tables that do not have RLS enabled with reasonable policies allow any client to access and modify their data. This is unlikely to be what you want in the majority of cases.
- Learn more about RLS.
- Enable replication on tables containing sensitive data by enabling Row Level Security (RLS) and setting row security policies:
- Go to the Authentication > Policies page in the Supabase Dashboard to enable RLS and create security policies.
- Go to the Database > Replication page in the Supabase Dashboard to manage replication tables.
- Enable 2FA on GitHub. Since your GitHub account gives you administrative rights to your Supabase project, you should protect it with a strong password and 2FA using a U2F key or a TOTP app.
- Ensure email confirmations are enabled in the
Auth > Settingspage.
- Use a custom SMTP server for auth emails so that your users can see that the mails are coming from a trusted domain (preferably the same domain that your app is hosted on). Grab SMTP credentials from any major email provider such as SendGrid, AWS SES, etc.
- Think hard about how you would abuse your service as an attacker, and mitigate.
- Review these common cybersecurity threats.
- Ensure that you have suitable indices to cater to your common query patterns
- Perform load testing (preferably on a staging env)
- Tools like k6 can simulate traffic from many different users.
- Upgrade your database if you require more resources. If you need anything beyond what is listed, contact email@example.com.
- If you are expecting a surge in traffic (for a big launch), let the team know by sending your Project Ref to us (firstname.lastname@example.org) with more details about your launch. We'll keep an eye on your project.
- Use your own SMTP credentials so that you have full control over the deliverability of your transactional auth emails (see Auth > Settings)
- you can grab SMTP credentials from any major email provider such as SendGrid, AWS SES, etc.
- The default rate limit for auth emails provided by Supabase is 30 new users per hour, if doing a major public announcement you will likely require more than this.
- If your application is on the free tier and is not expected to be queried at least once every 7 days, then it may be paused by Supabase to save on server resources.
- You can restore paused projects from the Supabase dashboard.
- Upgrade to Pro to guarantee that your project will not be paused for inactivity.
- Database backups are not available for download on the free tier.
- Upgrading to the Supabase Pro Tier will give you access to email support on email@example.com
Rate Limiting, Resource Allocation, & Abuse Prevention#
- Supabase employs a number of safeguards against bursts of incoming traffic to prevent abuse and help maximize stability across the platform
- If you're expecting high load events including production launches or heavy load testing, or prolonged high resource usage please give us at least 2 weeks notice. You can do this by opening a ticket via the support form.
This checklist is always growing so be sure to check back frequently, and also feel free to suggest additions and amendments by making a PR on GitHub.