# Security Best Practices Standards for Supabase

This document outlines security best practices for developing applications using Supabase. It aims to provide clear, actionable guidelines to protect against common vulnerabilities and foster secure coding patterns specific to the Supabase ecosystem.

## 1. Authentication and Authorization

### 1.1. Row Level Security (RLS)

**Standard:** *Always* enforce Row Level Security (RLS) policies on all tables containing sensitive data.

**Why:** RLS provides a declarative way to control data access at the row level, preventing unauthorized users from accessing or modifying data they shouldn't. Lack of RLS implementation is one of the largest issues with Supabase setups

**Do This:**

* Enable RLS on tables containing sensitive data.

* Define granular policies based on user roles, ownership, or other relevant criteria.

* Test RLS policies thoroughly to ensure they function as expected.

**Don't Do This:**

* Disable RLS on sensitive tables.

* Rely solely on client-side filtering for data access control.

* Use overly permissive or vague RLS policies.

**Code Example (PostgreSQL):**

"""sql

-- Enable RLS on the 'profiles' table

ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;

-- Create a policy that allows a user to select their own profile

CREATE POLICY "Users can select their own profile."

ON profiles

FOR SELECT

USING (auth.uid() = user_id);

-- Create a policy that allows a user to update their own profile

CREATE POLICY "Users can update their own profile."

ON profiles

FOR UPDATE

USING (auth.uid() = user_id);

"""

**Anti-Pattern:**

Disabling RLS "for convenience" during development and forgetting to re-enable it in production. This is a high severity risk since it exposes PII.

### 1.2. Authentication Providers

**Standard:** Utilize Supabase's built-in authentication providers (e.g., email/password, OAuth) or integrate with external identity providers (IdPs) for secure user authentication. Avoid custom authentication schemes unless absolutely necessary and security audited.

**Why:** Supabase provides secure and well-tested authentication flows out-of-the-box, reducing the risk of common authentication vulnerabilities. External IdPs provide added security (such as MFA).

**Do This:**

* Leverage Supabase's "auth" client library for authentication workflows.

* Enable Multi-Factor Authentication (MFA) where possible.

* Consider using social providers (Google, GitHub, etc.) for simplified signup and login.

* Implement strong password policies if using email/password authentication.

* Review the Supabase Auth documentation for the latest features and best practices.

**Don't Do This:**

* Store passwords in plain text.

* Implement custom authentication schemes without proper security expertise.

* Expose sensitive authentication tokens client-side.

* Disable rate-limiting on authentication endpoints.

**Code Example (JavaScript):**

"""javascript

import { createClient } from '@supabase/supabase-js'

const supabaseUrl = 'YOUR_SUPABASE_URL'

const supabaseKey = 'YOUR_SUPABASE_ANON_KEY'

const supabase = createClient(supabaseUrl, supabaseKey)

async function signInWithEmail(email, password) {

const { data, error } = await supabase.auth.signInWithPassword({

email: email,

password: password,

})

if (error) {

console.error("Authentication error:", error);

} else {

console.log("Signed in:", data);

}

}

signInWithEmail('test@example.com', 'securePassword');

async function signOut() {

const { error } = await supabase.auth.signOut()

if (error) {

console.error("Sign out error:", error);

} else {

console.log("Signed out");

}

}

signOut();

"""

**Anti-Pattern:** Storing the "supabaseKey" directly in client-side JavaScript code without any protection is dangerous since any user could use it to execute arbitrary requests. Use server-side code or environment variables where possible.

### 1.3. JWT (JSON Web Token) Handling

**Standard:** Handle JWTs securely, verifying their authenticity and integrity before granting access to resources. Use the Supabase client library's built-in JWT handling mechanisms.

**Why:** JWTs are used to authenticate and authorize users. Improper handling of JWTs can lead to impersonation and unauthorized access. Supabase provides methods to make this straightforward.

**Do This:**

* Use the "auth.getUser()" function to retrieve and verify the current user's information from the JWT.

* Store JWTs securely (e.g., in HTTP-only cookies).

* Implement proper JWT refresh mechanisms to prevent token expiration issues.

* Configure a short JWT expiration time to limit the impact of compromised tokens.

**Don't Do This:**

* Trust JWTs without verification.

* Store JWTs in local storage (prone to XSS attacks).

* Expose the JWT signing key.

* Disable JWT verification.

**Code Example (JavaScript - Edge Function):**

"""javascript

// Example of verifying a JWT in an Edge Function

import { createClient } from '@supabase/supabase-js'

export async function handler(req, context) {

const authHeader = req.headers.get('Authorization');

if (!authHeader || !authHeader.startsWith('Bearer ')) {

return new Response("Unauthorized", { status: 401 });

}

const token = authHeader.substring(7); // Remove "Bearer " prefix

const supabaseUrl = process.env.SUPABASE_URL;

const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY; // Use Service Role Key in Edge Functions

const supabase = createClient(supabaseUrl, supabaseKey, {

auth: {

persistSession: false // Disable persistence in edge functions

}

});

const { data: user, error } = await supabase.auth.getUser(token);

if (error) {

console.error("JWT Verification Error:", error);

return new Response("Unauthorized", { status: 401 });

}

// User is authenticated, proceed with protected logic

console.log("User ID:", user.user.id);

return new Response("Hello, User ${user.user.id}!");

}

"""

**Anti-Pattern:** Using the "anon" key to authenticate instead of a user JWT or the "service_role" key. The "anon" key should only be used for public assets.

## 2. Database Security

### 2.1. Preventing SQL Injection

**Standard:** *Always* use parameterized queries or prepared statements to prevent SQL injection vulnerabilities. Avoid constructing SQL queries by concatenating strings.

**Why:** SQL injection can allow attackers to execute arbitrary SQL code, potentially compromising the entire database.

**Do This:**

* Use Supabase's "from()" and "select()" methods to build queries.

* Use the "sql" template literal tag (or similar ORM features) for more complex queries.

**Don't Do This:**

* Concatenate user input directly into SQL queries.

* Disable parameter binding.

**Code Example (JavaScript):**

"""javascript

import { createClient } from '@supabase/supabase-js'

const supabaseUrl = 'YOUR_SUPABASE_URL'

const supabaseKey = 'YOUR_SUPABASE_ANON_KEY'

const supabase = createClient(supabaseUrl, supabaseKey)

async function fetchProfile(userId) {

const { data, error } = await supabase

.from('profiles')

.select('*')

.eq('user_id', userId); // Parameterized query

if (error) {

console.error("Error fetching profile:", error);

} else {

console.log("Profile:", data);

}

}

fetchProfile('some-user-id');

"""

**Anti-Pattern:**

"""javascript

//VULNERABLE CODE - DO NOT USE

async function fetchProfileUnsafe(userId) {

const query = "SELECT * FROM profiles WHERE user_id = '${userId}'"; //DO NOT DO THIS!

const { data, error } = await supabase.from('profiles').select('*').filter('raw_query', 'eq', query);

if (error) {

console.error("Error fetching profile:", error);

} else {

console.log("Profile:", data);

}

}

fetchProfileUnsafe("'; DROP TABLE profiles; --"); //SQL INJECTION!

"""

### 2.2. Limiting Database User Privileges

**Standard:** Grant database users the *least necessary* privileges required for their tasks. Avoid using the "service_role" key in client applications or untrusted environments.

**Why:** Limiting privileges reduces the potential impact of compromised credentials or SQL injection vulnerabilities.

**Do This:**

* Create separate database users for different application components.

* Grant only "SELECT", "INSERT", "UPDATE", and "DELETE" privileges as needed.

* Use the "service_role" key only in trusted environments (e.g., server-side code, Edge Functions).

* Create custom roles with specific permissions.

**Don't Do This:**

* Grant the "superuser" role to application users.

* Use the same database credentials for all application components.

* Embed the "service_role" key in client-side code.

**Code Example (PostgreSQL):**

"""sql

-- Create a new role for application users

CREATE ROLE app_user;

-- Grant SELECT privileges on the 'profiles' table

GRANT SELECT ON profiles TO app_user;

-- Grant INSERT privileges on the 'profiles' table

GRANT INSERT ON profiles TO app_user;

-- Create a new user and grant them the 'app_user' role

CREATE USER myapp WITH PASSWORD 'secure_password';

GRANT app_user TO myapp;

"""

### 2.3. Data Encryption

**Standard:** encrypt sensitive data both in transit and at rest.

**Why:** To ensure confidentiality and compliance with data privacy regulations.

**Do This:**

* Enable TLS/SSL for all database connections using "require_ssl = true;" in "postgresql.conf".

* Use column-level encryption for highly sensitive data (e.g., using "pgcrypto" extension).

* Consider using transparent data encryption (TDE) features if available.

**Don't Do This:**

* Store sensitive data in plain text without encryption.

* Disable TLS/SSL for database connections.

**Code Example (PostgreSQL with "pgcrypto"):**

"""sql

-- Install the pgcrypto extension

CREATE EXTENSION IF NOT EXISTS pgcrypto;

-- Add an encrypted column to the 'profiles' table

ALTER TABLE profiles ADD COLUMN email_encrypted BYTEA;

-- Function to encrypt the email address

CREATE OR REPLACE FUNCTION encrypt_email(email TEXT, key TEXT)

RETURNS BYTEA AS $$

BEGIN

RETURN pgp_sym_encrypt(email, key);

END;

$$ LANGUAGE plpgsql STRICT;

-- Function to decrypt the email address

CREATE OR REPLACE FUNCTION decrypt_email(email_encrypted BYTEA, key TEXT)

RETURNS TEXT AS $$

BEGIN

RETURN pgp_sym_decrypt(email_encrypted, key);

END;

$$ LANGUAGE plpgsql STRICT;

-- Example usage:

-- Inserting encrypted data

UPDATE profiles SET email_encrypted = encrypt_email('test@example.com', 'my_secret_key') WHERE user_id = 'some-user-id';

-- Decrypting data

SELECT decrypt_email(email_encrypted, 'my_secret_key') FROM profiles WHERE user_id = 'some-user-id';

"""

**Important:** Manage encryption keys carefully, and never store them directly in the database or application code. Use a dedicated secrets management solution.

### 2.4 Auditing

**Standard:** Setup database auditing to monitor and log access to sensitive data, track changes, and detect suspicious activity.

**Why:** Helps in forensic analysis of security incidents, compliance reporting, and identifying potential security breaches.

**Do This:**

* Enable PostgreSQL's audit logging using extensions like "pgaudit".

* Configure audit logging to capture relevant events like data access, modifications, and authentication attempts.

* Regularly review audit logs for anomalies, suspicious patterns, and unauthorized access attempts.

* Set up alerts for critical security events.

"""sql

-- Install the pgaudit extension if it's not already installed

CREATE EXTENSION IF NOT EXISTS pgaudit;

-- Configure pgaudit to log all read and write activity on tables

ALTER SYSTEM SET pgaudit.log = 'all';

-- Specify which tables to audit. In this example, we're auditing the 'profiles' table.

ALTER TABLE profiles AUDIT ALL;

-- Restart PostgreSQL to apply the changes

SELECT pg_reload_conf();

"""

**Anti-Pattern:** Failing to regularly review the collected logs makes the effort of capturing logs pointless, and can lead to security issues going unnoticed.

## 3. API Security

### 3.1. Rate Limiting

**Standard:** Implement rate limiting on API endpoints to prevent abuse and Denial-of-Service (DoS) attacks.

**Why:** Rate limiting protects your API from being overwhelmed by excessive requests, ensuring its availability and stability.

**Do This:**

* Use a rate-limiting middleware or service (e.g., Kong, Nginx with "limit_req_zone") to restrict the number of requests from a single IP address or user within a specific time window.

* Implement different rate limits for different API endpoints based on their criticality and resource consumption.

* Return informative error messages to clients when rate limits are exceeded.

**Don't Do This:**

* Expose API endpoints without any rate limiting.

* Use overly generous rate limits that allow for abuse.

* Fail to handle rate limit errors gracefully.

**Code Example (Edge Function with Rate Limiting):**

"""javascript

import { createClient } from '@supabase/supabase-js';

import { Ratelimit } from '@upstash/ratelimit';

import { Redis } from '@upstash/redis';

const redis = new Redis({

url: process.env.UPSTASH_REDIS_REST_URL,

token: process.env.UPSTASH_REDIS_REST_TOKEN,

})

const ratelimit = new Ratelimit({

redis: redis,

limiter: Ratelimit.slidingWindow(5, "10 s"), // 5 requests in 10 seconds

analytics: true,

})

export const corsHeaders = {

'Access-Control-Allow-Origin': '*',

'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',

}

export async function handler(req, context) {

// Apply rate limiting

const ipIdentifier = req.headers.get('x-forwarded-for') ?? req.ip ?? '127.0.0.1'; // Extract IP address

const { success, reset } = await ratelimit.limit(ipIdentifier);

if (!success) {

const now = Date.now()

const retryAfter = Math.min(reset * 1000 - now, 60000) / 1000;

return new Response("Rate limit exceeded", {

status: 429,

headers: {

...corsHeaders,

'Retry-After': retryAfter.toString(),

}

});

}

// Your Supabase logic here

const supabaseUrl = process.env.SUPABASE_URL;

const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY;

const supabase = createClient(supabaseUrl, supabaseKey, {

auth: {

persistSession: false

}

});

const { data, error } = await supabase.from('profiles').select('*');

if (error) {

console.error("Supabase Error:", error);

return new Response(JSON.stringify({ error: error.message }), {

status: 500,

headers: { ...corsHeaders, 'Content-Type': 'application/json' },

});

}

return new Response(JSON.stringify(data), {

headers: { ...corsHeaders, 'Content-Type': 'application/json' },

});

}

"""

This uses Upstash for Redis integration. You will need an Upstash account and to set corresponding environment variables for it to work.

### 3.2. Input Validation and Sanitization

**Standard:** *Always* validate and sanitize all user input before processing it, both on the client and server sides.

**Why:** Input validation prevents attackers from injecting malicious data or exploiting vulnerabilities in your application.

**Do This:**

* Use strong data type validation to ensure that input conforms to expected formats.

* Sanitize input to remove or escape potentially harmful characters. Supabase automatically sanitizes inputs on many operations.

* Enforce length limits to prevent buffer overflows.

* Use regular expressions to validate complex input formats.

**Don't Do This:**

* Trust user input without validation.

* Rely solely on client-side validation.

* Disable input sanitization.

**Code Example (JavaScript - Input Validation):**

"""javascript

function validateEmail(email) {

const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;

return emailRegex.test(email);

}

function validatePassword(password) {

return password.length >= 8; // Minimum 8 characters

}

async function signUp(email, password) {

if (!validateEmail(email)) {

throw new Error("Invalid email address");

}

if (!validatePassword(password)) {

throw new Error("Password must be at least 8 characters long");

}

//Proceed with Supabase sign up logic

}

"""

### 3.3. Output Encoding

**Standard:** Encode output data properly to prevent Cross-Site Scripting (XSS) vulnerabilities.

**Why:** XSS vulnerabilities allow attackers to inject malicious scripts into your application, potentially stealing user credentials or performing other harmful actions.

**Do This:**

* Use context-aware encoding to escape special characters based on the output context (e.g., HTML, JavaScript, URL).

* Use templating engines with automatic escaping enabled.

* Set the "Content-Security-Policy" (CSP) header to restrict the sources of scripts and other resources that can be loaded by your application.

**Don't Do This:**

* Output user input directly into HTML without encoding.

* Disable output encoding.

**Code Example (Setting CSP Header in Edge Function):**

"""javascript

export const corsHeaders = {

'Access-Control-Allow-Origin': '*',

'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',

'Content-Security-Policy': "default-src 'self'; script-src 'self' https://cdn.supabase.com; style-src 'self' 'unsafe-inline';",

}

"""

## 4. Storage Security

### 4.1. Access Control for Buckets

**Standard:** Implement strict access control policies for Supabase Storage buckets to prevent unauthorized access to stored files.

**Why:** Improperly configured bucket permissions can expose sensitive data to the public.

**Do This:**

* Use RLS policies to control access to files based on user roles or ownership.

* Limit the usage of PUBLIC buckets. If not needed, use PRIVATE buckets.

* Use signed URLs for temporary access to private files.

* Rotate storage API keys periodically.

**Don't Do This:**

* Grant public read or write access to buckets containing sensitive data, unless absolutely necessary and with careful consideration.

* Store sensitive data in plain text in storage buckets.

* Expose storage API keys client-side.

**Code Example (Storage RLS Policy):**

"""sql

-- Enable RLS on the storage.objects table

ALTER TABLE storage.objects ENABLE ROW LEVEL SECURITY;

-- Create a policy that allows a user to select their own files

CREATE POLICY "Users can select their own files."

ON storage.objects

FOR SELECT

USING (auth.uid() = owner);

-- Create a policy that allows a user to insert a file if they are the owner

CREATE POLICY "Users can insert their own files."

ON storage.objects

FOR INSERT

WITH CHECK (auth.uid() = owner);

"""

### 4.2. File Upload Validation

**Standard:** Validate file uploads to prevent malicious files from being stored in Supabase Storage.

**Why:** Malicious files can be used to exploit vulnerabilities in your application or other systems.

**Do This:**

* Check file extensions against an allowlist of permitted types.

* Verify file content types using magic numbers or other techniques.

* Scan uploaded files for malware.

* Limit file sizes.

**Don't Do This:**

* Trust file extensions alone.

* Store executable files in storage buckets without proper security measures.

**Code Example (JavaScript file upload validation):**

"""javascript

async function uploadFile(file) {

const allowedExtensions = ['jpg', 'jpeg', 'png', 'gif'];

const fileExtension = file.name.split('.').pop().toLowerCase();

if (!allowedExtensions.includes(fileExtension)) {

throw new Error("Invalid file type");

}

if (file.size > 10 * 1024 * 1024) { // 10MB limit

throw new Error("File size exceeds the limit");

}

//Upload to Supabase storage...

}

"""

## 5. Infrastructure Security

### 5.1. Network Security

**Standard:** Secure your Supabase infrastructure by implementing network security measures.

**Why:** Network security protects your Supabase instance from unauthorized access and attacks.

**Do This:**

* Use a firewall to restrict network access to your Supabase instance.

* Configure network policies to allow only necessary traffic.

* Use a Virtual Private Cloud (VPC) to isolate your Supabase instance from the public internet.

* Monitor network traffic for suspicious activity.

**Don't Do This:**

* Expose your Supabase instance directly to the public internet.

* Use default firewall rules.

### 5.2. Regular Security Audits

**Standard:** Conduct regular security audits of your Supabase application and infrastructure.

**Why:** Security audits help identify and address vulnerabilities before they can be exploited.

**Do This:**

* Perform periodic vulnerability scans.

* Conduct penetration testing.

* Review code for security flaws.

* Stay up-to-date with the latest security patches and best practices.

**Don't Do This:**

* Neglect security auditing.

* Ignore security vulnerabilities.

### 5.3 Dependency Management

**Standard:** Regularly update dependencies to the newest versions.

**Why:** Outdated dependencies are a common entry point for attackers since they often contain security vulnerabilities.

**Do This:**

* Use automated tools (Dependabot, etc.) to monitor dependencies.

* Regularly review and update dependencies.

* Test after updating to ensure that the new versions do not contain regressions.

## 6. Monitoring and Logging

### 6.1 Centralized Logging

**Standard:** Centralize logs from all parts of your system (applications, databases, servers) to one location.

**Why:** Simplifies log management, correlation of event across different systems, and allows to detect anomalies and security incidents.

**Do This:**

* Use a logging library (such as Winston or Bunyan for Node.js) to generate structured logs.

* Forward logs to a central logging system like ELK stack (Elasticsearch, Logstash, Kibana), Splunk, or cloud-based logging service.

* Implement log rotation and retention policies.

### 6.2 Alerting

**Standard:** Implement alerting for critical events, errors, and suspicious activities.

**Why:** Enables rapid response to security incidents and operational issues.

**Do This:**

* Define clear thresholds for triggering alerts.

* Integrate alerting system with communication channels (email, Slack, PagerDuty).

* Regularly review alerting rules to ensure they remain effective.

### 6.3 Monitoring Key Performance Indicators (KPIs)

**Standard:** Monitor key performance indicators of your Supabase instance and associated applications.

**Why:** Monitoring helps ensure availability, performance, and security of the system.

**Do This:**

* Track database performance (query latency, resource utilization).

* Monitor API response times and error rates.

* Track storage usage.

* Set up alerts for performance degradation and anomalies.

## 7. Environment Variables

**Standard:** Store sensitive credentials such as keys, API keys, and connection strings as environment variables.

**Why**: To prevent them from being hardcoded into the application where they may be exposed.

**Do This:**

* Utilize environment variables within your hosting provider (Netlify, Vercel, AWS, etc.).

* Never commit environment variables to your codebase -- especially public repositories.

## Conclusion

By following these security best practices, you can significantly reduce the risk of vulnerabilities and protect your Supabase applications from common attacks. Remember that security is an ongoing process, and it's essential to stay up-to-date with the latest security threats and best practices. Continuously review and improve your security measures to maintain a secure Supabase environment.