After developing your project and deciding it's Production Ready, you should run through this checklist to ensure that your project:
- is secure
- won't falter under the expected load
- remains available whilst in production
- Ensure RLS is enabled
- Tables that do not have RLS enabled with reasonable policies allow any client to access and modify their data. This is unlikely to be what you want in the majority of cases.
- Learn more about RLS.
- Enable replication on tables containing sensitive data by enabling Row Level Security (RLS) and setting row security policies:
- Go to the Authentication > Policies page in the Supabase Dashboard to enable RLS and create security policies.
- Go to the Database > Replication page in the Supabase Dashboard to manage replication tables.
- Turn on SSL Enforcement
- Enable Network Restrictions for your database.
- Enable 2FA on GitHub. Since your GitHub account gives you administrative rights to your Supabase project, you should protect it with a strong password and 2FA using a U2F key or a TOTP app.
- Ensure email confirmations are enabled in the
Settings > Authpage.
- Use a custom SMTP server for auth emails so that your users can see that the mails are coming from a trusted domain (preferably the same domain that your app is hosted on). Grab SMTP credentials from any major email provider such as SendGrid, AWS SES, etc.
- Think hard about how you would abuse your service as an attacker, and mitigate.
- Review these common cybersecurity threats.
- Ensure that you have suitable indices to cater to your common query patterns
- Perform load testing (preferably on a staging env)
- Tools like k6 can simulate traffic from many different users.
- Upgrade your database if you require more resources. If you need anything beyond what is listed, contact email@example.com.
- If you are expecting a surge in traffic (for a big launch) contact support with more details about your launch. We'll keep an eye on your project.
- If you expect your database size to be > 4 GB, enable the Point in Time Recovery (PITR) addon. Daily backups can take up resources from your database when the backup is in progress. PITR is more resource efficient, since only the changes to the database are backed up.
- Use your own SMTP credentials so that you have full control over the deliverability of your transactional auth emails (see Settings > Auth)
- you can grab SMTP credentials from any major email provider such as SendGrid, AWS SES, etc. You can refer to our SMTP guide for more details.
- The default rate limit for auth emails when using a custom SMTP provider is 30 new users per hour, if doing a major public announcement you will likely require more than this.
- If your application is on the free plan and is not expected to be queried at least once every 7 days, then it may be paused by Supabase to save on server resources.
- You can restore paused projects from the Supabase dashboard.
- Upgrade to Pro to guarantee that your project will not be paused for inactivity.
- Database backups are not available for download on the free plan.
- You can set up your own backup systems using tools like pg_dump or wal-g.
- Nightly backups for Pro plan projects are available on the Supabase dashboard for up to 7 days.
- Point in Time Recovery (PITR) allows a project to be backed up at much shorter intervals. This provides users an option to restore to any chosen point of up to seconds in granularity. In terms of Recovery Point Objective (RPO), Daily Backups would be suitable for projects willing to lose up to 24 hours worth of data. If a lower RPO is required, enable PITR.
- Upgrading to the Supabase Pro plan will give you access to our support team.
Rate Limiting, Resource Allocation, & Abuse Prevention#
- Supabase employs a number of safeguards against bursts of incoming traffic to prevent abuse and help maximize stability across the platform
- If you're expecting high load events including production launches or heavy load testing, or prolonged high resource usage please give us at least 2 weeks notice. You can do this by opening a ticket via the support form.
Auth Rate Limits#
- The table below shows the rate limit quotas on the following authentication endpoints:
|Endpoint||Path||Limited By||Rate Limit|
|All endpoints that send emails||Sum of combined requests||Defaults to 30 emails per hour. As of 14th July 2023, this has been updated to 4 emails per hour. Is customizable with custom SMTP set up.|
|All endpoints that send One-Time-Passwords (OTP)||Sum of combined requests||Defaults to 30 OTPs per hour. Is customizable.|
|Send OTPs or magiclinks||Last request||Defaults to 60 seconds window before a new request is allowed. Is customizable.|
|Signup confirmation request||Last request||Defaults to 60 seconds window before a new request is allowed. Is customizable.|
|Password Reset Request||Last request||Defaults to 60 seconds window before a new request is allowed. Is customizable.|
|Verification requests||IP Address||360 requests per hour (with bursts up to 30 requests)|
|Token refresh requests||IP Address||360 requests per hour (with bursts up to 30 requests)|
|Create or Verify an MFA challenge||IP Address||15 requests per minute (with bursts up to 30 requests)|
- Supabase provides CAPTCHA protection on the signup, sign-in and password reset endpoints. Please refer to our guide on how to protect against abuse using this method.
Email Link Validity#
When working with enterprise systems, email scanners may scan and make a
GETrequest to the reset password link or sign up link in your email. Since links in Supabase Auth are single use, a user who opens an email post-scan to click on a link will receive an error. To get around this problem, consider altering the email template to replace the original magic link with a link to a domain you control. The domain can present the user with a "Sign-in" button which redirect the user to the original magic link URL when clicked.
When using a custom SMTP service, some services might have link tracking enabled which may overwrite or malform the email confirmation links sent by Supabase Auth. To prevent this from happening, we recommend that you disable link tracking when using a custom SMTP service.
This checklist is always growing so be sure to check back frequently, and also feel free to suggest additions and amendments by making a PR on GitHub.
The rate limit is only applied on
/auth/v1/userif this endpoint is called to update the user's email address. ↩