Production Checklist

After developing your project and deciding it's production ready, you should run through this checklist to ensure that your project:

• Is secure
• Won't falter under the expected load
• Remains available whilst in production

Security#

Check and review issues in your database using Security Advisor.

• Ensure you have enabled row level security (RLS) on all tables from the Database > Tables section of the Supabase Dashboard.
  • Tables that do not have RLS enabled with reasonable policies allow any client to access and modify their data. This is usually not what you want.
  • Learn more about RLS.
• Enable replication on tables containing sensitive data by enabling RLS and setting row security policies:
  • Go to the Authentication > Policies section of the Supabase Dashboard to enable RLS and create security policies.
  • Go to the Database > Publications section of the Supabase Dashboard to manage replication tables.
• Turn on SSL Enforcement from the Database > Settings > SSL Configuration section of the dashboard.
• Enable Network Restrictions for the database from the Database > Settings > Network Restrictions section of the dashboard.
• Ensure that you protect your Supabase Account with multi-factor authentication (MFA).
  • If using a GitHub sign-in, enable 2FA on GitHub.
  • Since your GitHub account gives you administrative rights to your Supabase org, you should protect it with a strong password and 2FA using a U2F key or a TOTP app.
  • If using email+password sign-in, set up MFA for your Supabase account.
• Consider enabling MFA enforcement on your organization. This ensures all users must have a valid MFA-backed session to interact with organization and project resources.
• Consider adding multiple owners on your Supabase org from the Organization > Team section of the Supabase Dashboard. This ensures that if one of the owners is unreachable or loses access to their account, you still have Owner access to your org.
• Enable email confirmations in the Authentication > Providers section of the dashboard.
• Set the expiry in the Authentication > Providers section of the dashboard for one-time passwords (OTPs) to a reasonable value that you are comfortable with.
  • We recommend setting this to 3600 seconds (1 hour) or lower.
  • Increase the length of the OTP if you need a higher level of entropy.
• If your application requires a higher level of security, consider setting up multi-factor authentication (MFA) for your users.
• Use a custom SMTP server for auth emails so that your users can see that the mails are coming from a trusted domain (preferably the same domain that your app is hosted on). Grab SMTP credentials from any major email provider such as SendGrid, AWS SES, etc.
• Consider how you might abuse your service as an attacker, and take steps to mitigate it.
• Review these common cybersecurity threats.

Performance#

Check and review issues in your database using Performance Advisor.

• Ensure that you have suitable indices to cater to your common query patterns
  • Learn more about indexes in Postgres.
  • pg_stat_statements can help you identify hot or slow queries.
• Perform load testing (preferably on a staging env)
  • Tools like k6 can simulate traffic from many different users.
• Upgrade your database if you require more resources. If you need anything beyond what is listed in the compute and disk table, contact enterprise@supabase.io.
• If you are expecting a surge in traffic (for a big launch) and are on a Team or Enterprise Plan, contact support with more details about your launch and we'll help keep an eye on your project.
• If you expect your database size to be > 4 GB, enable the Point in Time Recovery (PITR) add-on in the Settings > Add-ons section of the dashboard.

Availability#

• Use your own SMTP credentials so that you have full control over the deliverability of your transactional auth emails in the Authentication > Emails > SMTP Settings section of the dashboard.
  • You can grab SMTP credentials from any major email provider such as SendGrid, AWS SES, etc. Read our SMTP guide for more setup details.
  • The default rate limit for auth emails when using a custom SMTP provider is 30 new users per hour. If you are doing a major public announcement, you will likely require more than this.
• We may pause applications on the Free Plan that exhibit low activity in a 7-day period to save on server resources.
  • You can restore paused projects from the Supabase dashboard.
  • Upgrade to Pro to guarantee that we won't pause your project for inactivity.
• Database backups are not available for download for Free Plan projects.
  • Read the Database Backups guide for more options and retention details.
  • If you need a lower recovery point objective (RPO), enable Point-in-Time Recovery (PITR). PITR allows you to back up a project at shorter intervals. This provides users an option to restore to any chosen point in time with second-level granularity.
• Supabase Projects use disks that offer 99.8-99.9% durability by default.
  • Use Read Replicas if you require availability resilience to a disk failure event
  • Use PITR if you require durability resilience to a disk failure event
• Upgrading to the Supabase Pro Plan gives you access to our support team.

Rate limiting, resource allocation, & abuse prevention#

Shared Responsibility Model

Running databases is a shared responsibility between you and Supabase. There are some things that we can take care of for you, and some things that you are responsible for.

Read more details in our Shared Responsibility Model guide.

• Supabase employs a number of safeguards against bursts of incoming traffic to prevent abuse and help maximize stability across the platform
  • If you're on a Team or Enterprise Plan and expect high load events, such as production launches, heavy load testing, or prolonged high resource usage, open a ticket via the support form for help. Provide at least 2 weeks notice.

Auth rate limits#

• The table below shows the rate limit quotas on the following authentication endpoints. You can configure the authentication rate limits for your project in the Authentication > Rate Limits section of the dashboard.

Endpoint

Path

Limited By

Rate Limit

All endpoints that send emails

/auth/v1/signup /auth/v1/recover /auth/v1/user[^1]

Sum of combined requests

As of 3 Sep 2024, this has been updated to 2 emails per hour. You can only change this with your own custom SMTP setup.

All endpoints that send One-Time-Passwords (OTP)

/auth/v1/otp

Sum of combined requests

Defaults to 360 OTPs per hour. Is customizable.

Send OTPs or magic links

/auth/v1/otp

Last request

Defaults to 60 seconds window before a new request is allowed. Is customizable.

Signup confirmation request

/auth/v1/signup

Last request

Defaults to 60 seconds window before a new request is allowed. Is customizable.

Password Reset Request

/auth/v1/recover

Last request

Defaults to 60 seconds window before a new request is allowed. Is customizable.

Verification requests

/auth/v1/verify

IP Address

360 requests per hour (with bursts up to 30 requests)

Token refresh requests

/auth/v1/token

IP Address

1800 requests per hour (with bursts up to 30 requests)

Create or Verify an MFA challenge

/auth/v1/factors/:id/challenge /auth/v1/factors/:id/verify

IP Address

15 requests per minute (with bursts up to 30 requests)

Anonymous sign-ins

/auth/v1/signup[^2]

IP Address

30 requests per hour (with bursts up to 30 requests)

Realtime limits#

• Review the Realtime limits.
• If you need limits increased, contact support.

Abuse prevention#

• Supabase provides CAPTCHA protection on the signup, sign-in and password reset endpoints. Read the Auth CAPTCHA guide for more details on how to protect against abuse using this method.

Email link validity#

• When working with enterprise systems, email scanners may scan and make a GET request to the reset password link or sign-up link in your email. Since links in Supabase Auth are single-use, a user who opens an email post-scan to click on a link will receive an error. To get around this problem, consider altering the email template to replace the original magic link with a link to a domain you control. The domain can present the user with a "Sign-in" button, which redirects the user to the original magic link URL when clicked.
• When using a custom SMTP service, some services might have link tracking enabled which may overwrite or deform the email confirmation links sent by Supabase Auth. To prevent this from happening, we recommend that you disable link tracking when using a custom SMTP service.