Secure configuration of Supabase products

The Supabase production checklist provides detailed advice on preparing an app for production. While our SOC 2 and HIPAA compliance documents outline the roles and responsibilities for building a secure and compliant app.

Various products at Supabase have their own hardening and configuration guides, below is a definitive list of these to help guide your way.

Auth#

• Password security
• Rate limits
• Bot detection / Prevention
• JWTs

Database#

• Row Level Security
• Column Level Security
• Hardening the Data API
• Additional security controls for the Data API
• Custom claims and role based access control
• Managing Postgres roles
• Managing secrets with Vault
• Superuser access and unsupported operations

Storage#

• Object ownership
• Access control
  • The Storage API docs contain hints about required RLS policy permissions
• Custom roles with the storage schema

Realtime#

• Authorization