DEV Community

Cover image for Improved Security Controls and A New Home for Security
Supabase profile image Yuri
Yuri for Supabase

Posted on • Originally published at supabase.com

Improved Security Controls and A New Home for Security

#webdev #programming #productivity #opensource

decorative
Today we are launching the foundations of several security features we plan to build in the upcoming months.

  1. Centralized Security Docs
  2. Organization‑wide Security Settings in the dashboard

Read on to learn more about the recent security features we have launched and our upcoming roadmap for security.

⚡️ More on Launch Week

Centralized Security Docs

Supabase offers a robust set of security controls, but discovering and configuring them can feel daunting. Our new security documentation brings everything into one place - from product features like Auth Rate Limits and Vault to step‑by‑step guides on building secure applications with Supabase (Row‑Level Security, hardening the Data API, the Production Checklist, and more).

We’ve also published dedicated SOC 2 and HIPAA guides that explain how to achieve these compliance standards on Supabase and answer common questions.

Enforce MFA in Organization Security Settings

Organization view with a MFA enforced project

The first setting we are launching in the Organization‑wide Security Settings page in the dashboard is the ability to enforce Multi‑Factor Authentication (MFA) for every member of a Supabase Organization. Once enabled, all members must have MFA configured to access any project or resource in that org.

Project view when MFA enforced and access denied

With MFA enforcement enabled, all members of your organization must use multi-factor authentication to access any project or resource. If a member hasn’t enabled MFA, they will immediately lose access until they do. New organization members will be able to accept invitations to an MFA enforced organization, but will not be able to interact with the organization until they have enabled MFA.

This setting is only available to organization owners, and the owner must have MFA enabled on their own account. We recommend setting up two separate MFA apps as a backup.

A few notes:

  • Available on Pro, Team, and Enterprise plans.
  • Personal access tokens are not affected by this setting.

You can toggle the setting on in the new Security tab of your organization settings.

New security tab under organization settings

Supabase Realtime - Enable Private Channels Only

Realtime configuration for private channels

You can now set Realtime to use only private channels using Realtime Authorization. If you disable the Allow public access setting, no public channels can be created. Only clients authorized via Realtime Authorization, can listen to and broadcast messages.

This settings page is under a feature preview, and you can enable it here. Once the feature preview is enabled, you can configure this setting in the new Realtime Settings page. While you are there, you can also tune the connection pool size that Realtime uses and the maximum concurrent clients.

Security and Performance Advisors - Disable Specific Rules

Realtime configuration for private channels

We received feedback from users that not all security and performance advisor rules apply to their project. Supabase powers everything from backend‑only APIs to full‑stack apps and some Security and Performance advisors may not be applicable for everyone. For example, the RLS Disabled in Public rule may not apply if you only access Supabase from a secure context like a web server.

Realtime configuration for private channels

You can now customize Security Advisor rules and disable rules which are not relevant to you. We will be extended rule customization to include rule assignment and more fine grained filtering.

This is currently under a feature preview and you can enable it here. Once enabled, rules can be managed through the new configuration section.

What comes next?

This release is one building block in a much larger, long‑term security roadmap across the Supabase platform - everything from user auth to network isolation, compliance tooling, and automated remediation. Here’s what we’re actively working on:

Stronger Authentication and Access Control

  • YubiKey and hardware key MFA support to complement Time based one time password flow (TOTP).
  • We have already announced that project scoped roles are now also available on the Team plan, and now we are working to bring custom roles to our Enterprise plan. This will allow organizations to define custom, fine grained roles, limiting the actions and resources users have access to.

Security Enforcement

  • Assigning Security Advisories to team members in your org
  • Furthermore, we are extending our project level controls to allow automatically enforcing compliance controls on sensitive projects.
  • Supporting additional compliance standards, alongside our existing SOC 2 and HIPAA controls.

Enterprise Connectivity

  • Self service SSO for Supabase Organizations: Enterprise teams looking to enforce SSO sign-on will be able to self-serve this directly in the Supabase dashboard and will no longer need a support ticket.
  • **Supabase PrivateLink provides enterprise-grade private network connectivity between your AWS VPC and your Supabase database using AWS VPC Lattice. This is currently in Private Alpha and available to our Enterprise customers.

Our goal is to provide you with the tools you need to deploy your production apps on Supabase with confidence.

Launch Week 15

Main Stage

Day 1 - Introducing JWT Signing Keys
Day 2 - Introducing Supabase Analytics Buckets with Iceberg Support

Build Stage

Worldwide Community Meetups

Top comments (0)