Skip to main content
Supabase provides enterprise-grade security features to protect your data and applications. From database-level Row Level Security to network restrictions and encryption, you have complete control over your security posture.

Security Architecture

Supabase implements a multi-layered security approach:

Database Security

Row Level Security (RLS) policies control data access at the database level

Network Security

IP restrictions and SSL enforcement protect connections

Authentication

Built-in auth with JWT tokens and MFA support

Encryption

Data encrypted at rest and in transit

Core Security Features

Row Level Security (RLS)

PostgreSQL’s Row Level Security is your primary defense mechanism. RLS policies control which rows users can access, providing granular authorization at the database level. 
-- Enable RLS on a table
ALTER TABLE posts ENABLE ROW LEVEL SECURITY;

-- Create a policy
CREATE POLICY "Users can view their own posts"
  ON posts
  FOR SELECT
  TO authenticated
  USING (auth.uid() = user_id);
Critical: All tables in the public schema MUST have RLS enabled before going to production. Without RLS, anyone with your anon key can access all data.

Row Level Security Guide

Learn how to implement and optimize RLS policies

Network Security

Control who can connect to your database:
  • IP Restrictions: Whitelist specific IP addresses or CIDR ranges
  • SSL Enforcement: Require encrypted connections to PostgreSQL
  • Private Networks: Isolate databases from public internet (Enterprise)

Network Security

Configure network restrictions and SSL enforcement

Encryption

All data is protected with encryption:
  • At Rest: AES-256 encryption for all data stored on disk
  • In Transit: TLS 1.2+ for all HTTPS and PostgreSQL connections
  • Transparent: No configuration needed, always enabled

Encryption Details

Learn about Supabase encryption implementation

Security Best Practices

1. Enable RLS on All Tables

Check which tables don’t have RLS: 
SELECT 
  schemaname, 
  tablename 
FROM pg_tables 
WHERE schemaname = 'public' 
  AND tablename NOT IN (
    SELECT tablename 
    FROM pg_tables t
    JOIN pg_class c ON c.relname = t.tablename
    WHERE c.relrowsecurity = true
  );
Enable RLS: 
ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;

2. Use Service Keys Securely

Never expose service_role keys in:
  • Client-side code
  • Git repositories
  • Browser applications
  • Mobile apps
Safe usage:
  • Server-side code only
  • Environment variables
  • Secure key management systems
  • Admin tools with proper access control

3. Enable Email Confirmations

Require users to verify their email addresses:
  1. Go to AuthenticationProviders
  2. Enable “Confirm email”
  3. Configure email templates

4. Set Up Multi-Factor Authentication

Protect sensitive accounts with MFA: For your organization:
  • Enable MFA on your Supabase account
  • Enforce MFA for all organization members
For your users: 
// Enable MFA for users
const { data, error } = await supabase.auth.mfa.enroll({
  factorType: 'totp'
})

5. Configure SMTP for Production

Use custom SMTP to:
  • Improve email deliverability
  • Build trust with users
  • Increase rate limits
  • Maintain brand consistency
Default Supabase emails are rate-limited to 30/hour and should only be used for development.

6. Review Security Advisor

Use the built-in Security Advisor to find issues:
  1. Go to DatabaseSecurity Advisor
  2. Review all recommendations
  3. Address high-priority issues
  4. Re-run after fixes

Authentication Security

Password Security

Configure strong password requirements:
  1. Go to AuthenticationProvidersEmail
  2. Set minimum password length (recommend 12+ characters)
  3. Require character complexity:
    • Lowercase letters
    • Uppercase letters
    • Numbers
    • Symbols: !@#$%^&*()_+-=[]{}\;':"<>?,./`~
  4. Enable leaked password protection (Pro plan+)

Session Security

Manage user sessions securely: 
// Set session timeout
const { data, error } = await supabase.auth.updateUser({
  data: { session_timeout: 3600 } // 1 hour
})

// Revoke all sessions
await supabase.auth.admin.signOut(userId)

Redirect URL Security

Control where auth redirects are allowed:
  1. Go to AuthenticationURL Configuration
  2. Add only trusted redirect URLs
  3. Use wildcards carefully: https://*.yourdomain.com

API Security

Rate Limiting

Supabase applies rate limits to prevent abuse:
EndpointDefault LimitConfigurable
Email endpoints30/hourWith custom SMTP
OTP endpoints360/hourYes
Token refresh1800/hourNo
Anonymous sign-in30/hourNo
Configure custom limits in AuthenticationRate Limits.

CAPTCHA Protection

Protect auth endpoints from bots: 
// Enable CAPTCHA for sign-up
const { data, error } = await supabase.auth.signUp({
  email: '[email protected]',
  password: 'password',
  options: {
    captchaToken: captchaToken
  }
})
Configure in AuthenticationSettingsBot Protection.

Database Security

Secure Database Credentials

Best practices:
  • Use strong, unique passwords (20+ characters)
  • Rotate credentials regularly
  • Store in secure key management systems
  • Never commit to version control

Database Roles

Supabase provides two main roles:
  • anon: For unauthenticated requests (public access)
  • authenticated: For logged-in users
Use in RLS policies: 
CREATE POLICY "Public read access"
  ON products
  FOR SELECT
  TO anon
  USING (published = true);

CREATE POLICY "Authenticated users can create"
  ON products
  FOR INSERT
  TO authenticated
  WITH CHECK (user_id = auth.uid());

Prevent SQL Injection

Always use parameterized queries: 
const { data } = await supabase
  .from('users')
  .select('*')
  .eq('email', userEmail)

Production Security Checklist

Before launching to production:
1

Enable RLS

✅ All public tables have RLS enabled
✅ Policies tested thoroughly
✅ No service_role key in client code
2

Configure Authentication

✅ Email confirmation enabled
✅ Custom SMTP configured
✅ Password requirements set
✅ Redirect URLs configured
✅ MFA available for users
3

Network Security

✅ SSL enforcement enabled
✅ Network restrictions configured (if needed)
✅ API keys rotated from defaults
4

Account Security

✅ MFA enabled on your account
✅ MFA enforced for organization
✅ Multiple org owners configured
✅ GitHub 2FA enabled (if using GitHub login)
5

Monitoring

✅ Security Advisor reviewed
✅ Performance Advisor reviewed
✅ Logs monitored
✅ Alerts configured

Complete Production Checklist

View the full pre-launch checklist

Security Compliance

Supabase maintains industry-standard security certifications:
  • SOC 2 Type II - Audited security controls
  • GDPR Compliant - European data protection
  • HIPAA Available - Healthcare data (Enterprise)
  • ISO 27001 - Information security management
Enterprise plans include additional compliance options and dedicated security support.

Reporting Security Issues

If you discover a security vulnerability:
  1. Do not open a public GitHub issue
  2. Email [email protected]
  3. Include detailed reproduction steps
  4. Allow time for response and fix
View our full security policy: supabase.com/.well-known/security.txt

Additional Resources

Row Level Security

Implement granular access control

Network Security

Configure IP restrictions and SSL

Encryption

Understand data encryption

Auth Security

Secure authentication flows

Common Security Pitfalls

Risk: Anyone can read/write all dataSolution:
  • Enable RLS on all tables
  • Use Security Advisor to find unprotected tables
  • Set up automatic RLS with event triggers
Risk: Complete database access exposedSolution:
  • Only use anon key in client applications
  • Keep service_role key server-side only
  • Rotate keys if accidentally exposed
Risk: Account takeovers via brute forceSolution:
  • Require 12+ character passwords
  • Enable character complexity
  • Use leaked password protection
  • Implement MFA for sensitive accounts
Risk: Credentials intercepted in transitSolution:
  • Always use HTTPS in production
  • Enable SSL enforcement for database
  • Use secure cookies

Build docs developers (and LLMs) love

Get started for freeTalk to us