Supabase Security Pitfalls - 1

Written By Garth B

What are the common security pitfalls when using this popular platform?

At a high level, Supabase is an open-source backend platform built around PostgreSQL that provides the common building blocks needed for typical modern applications. These building blocks include database, authentication, APIs, realtime updates, storage, edge functions, and developer tooling. Supabase consists of two offerings: the hosted version known as Supabase Cloud which is the managed SaaS version, where Supabase operates the infrastructure for you, and an Open-source Supabase which is the self-hostable platform made up of Supabase’s core components, which teams can run on their own infrastructure for more control, customization, or compliance needs.

Supabase Cloud is the managed SaaS version, where Supabase operates the infrastructure for you. The key point of Supabase Cloud is that your backend is built around Postgres, while Supabase manages much of the infrastructure and operational work so teams can focus more on product development. You give up control of the management of that backend and how its hosted so you can achieve velocity of your product. Supabase cloud is hosted in AWS. More on that later.

Open-source Supabase does not have all the out-of-the-box bells and whistles that the hosted version provides. Of course you have to manage your own infrastructure and provide an authentication layer to its studio dashboard. Here you must configure and operate the surrounding pieces: SMTP/email delivery, OAuth providers, JWT secrets, callback URLs, security settings, user management, upgrades, monitoring, and production hardening.

But there is one thing that the self-hosted open-source version provides that Supabase cloud can never provide.

And that one thing is data sovereignty.

The U.S. CLOUD Act of 2018 allows U.S. authorities with a U.S. legal process to compel U.S.-based cloud providers to hand over data they control, even if that data is stored in another country.

Think about that for a moment. Regardless of where your data, or your customers data resides in the world, if the company hosting it is a U.S. based company, then the U.S. government can gain access to it so long as the follow a “process”.

Okay. I know what you are thinking. There is a valid legal process that must be followed in order to compel these providers.

The challenge to that “process” is that we have seen the American judicial system weaponized for political ends and subverted to attack political enemies. Therefore, how is it possible to ensure that your data, or your customers data, is safe from any political whim and a process that is not fit for purpose.

Yes, self-hosted open-source Supabase is more work. But you will need to balance that work with the risk profile of the data you maintain.

And to be fair, this also applies to any managed database in an American cloud provider’s infrastructure.

Garth B https://www.linkedin.com/in/garthoid
Next

The Agentic AI Threat Landscape