|
| 1 | +--- |
| 2 | +title: 'Improved Security Controls and A New Home for Security' |
| 3 | +description: 'Access to a new central security page and launch of additional controls.' |
| 4 | +categories: |
| 5 | + - product |
| 6 | + - launch-week |
| 7 | +tags: |
| 8 | + - launch-week |
| 9 | + - security |
| 10 | + - realtime |
| 11 | +date: '2025-07-16:15:00' |
| 12 | +toc_depth: 3 |
| 13 | +author: staaldraad,hieu,filipe |
| 14 | +image: launch-week-15/day-3-security-controls/og.jpg |
| 15 | +thumb: launch-week-15/day-3-security-controls/thumb.png |
| 16 | +launchweek: 15 |
| 17 | +--- |
| 18 | + |
| 19 | +Today we are launching the foundations of several security features we plan to build on in the upcoming months. |
| 20 | + |
| 21 | +- Centralized security docs |
| 22 | +- Organization‑wide security settings in the Dashboard |
| 23 | + |
| 24 | +## Centralized Security Docs |
| 25 | + |
| 26 | +Supabase offers a robust set of security controls, but discovering and configuring them can feel daunting. Our [new security documentation](/docs/guides/security) brings everything into one place - from product features like Auth Rate Limits and Vault to step‑by‑step guides on building secure applications with Supabase (Row‑Level Security, hardening the Data API, the Production Checklist, and more). |
| 27 | + |
| 28 | +We’ve also published dedicated [SOC 2](/docs/guides/security/soc-2-compliance) and [HIPAA](/docs/guides/security/hipaa-compliance) guides that explain how to achieve these compliance standards on Supabase and answer common questions. |
| 29 | + |
| 30 | +## Enforce MFA in Organization Security Settings |
| 31 | + |
| 32 | +<Img |
| 33 | + src={{ |
| 34 | + dark: '/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-dark.png', |
| 35 | + light: '/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-light.png', |
| 36 | + }} |
| 37 | + alt="Organization view with a MFA enforced project" |
| 38 | +/> |
| 39 | + |
| 40 | +The first setting we are launching in the organization‑wide security settings page in the Dashboard is the ability to enforce Multi‑Factor Authentication (MFA) for every member of a Supabase Organization. Once enabled, all members must have MFA configured to access any project or resource in that org. |
| 41 | + |
| 42 | +<Img |
| 43 | + src={{ |
| 44 | + dark: '/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-project-dark.png', |
| 45 | + light: '/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-project-light.png', |
| 46 | + }} |
| 47 | + alt="Project view when MFA enforced and access denied" |
| 48 | +/> |
| 49 | + |
| 50 | +With MFA enforcement enabled, all members of your organization must use multi-factor authentication to access any project or resource. If a member hasn’t enabled MFA, they will immediately lose access until they do. New organization members will be able to accept invitations to an MFA enforced organization, but will not be able to interact with the organization until they have enabled MFA. |
| 51 | + |
| 52 | +This setting is only available to **Organization Owners**, and the owner must have MFA enabled on their own account. We recommend setting up **two separate MFA apps** as a backup. |
| 53 | + |
| 54 | +A few notes: |
| 55 | + |
| 56 | +- Only available on **Pro, Team, and Enterprise** plans. |
| 57 | +- **Personal Access Tokens** (**PATs**) are not affected by this setting. |
| 58 | + |
| 59 | +You can toggle on this setting in the new [**Security tab**](/dashboard/org/_/security) of your organization settings. |
| 60 | + |
| 61 | +<Img |
| 62 | + src={{ |
| 63 | + dark: '/images/blog/launch-week-15/day-3-security-controls/security-page-dark.png', |
| 64 | + light: '/images/blog/launch-week-15/day-3-security-controls/security-page-light.png', |
| 65 | + }} |
| 66 | + alt="New security tab under organization settings" |
| 67 | +/> |
| 68 | + |
| 69 | +## Supabase Realtime - Enable Private Channels Only |
| 70 | + |
| 71 | +<Img |
| 72 | + src={{ |
| 73 | + dark: '/images/blog/launch-week-15/day-3-security-controls/realtime-settings-dark.png', |
| 74 | + light: '/images/blog/launch-week-15/day-3-security-controls/realtime-settings-light.png', |
| 75 | + }} |
| 76 | + alt="Realtime configuration for private channels" |
| 77 | +/> |
| 78 | + |
| 79 | +You can now set Realtime to use only private channels using [Realtime Authorization](/docs/guides/realtime/authorization?queryGroups=language&language=dart). If you toggle off the `Allow public access` setting, no public channels can be created. Only clients authorized via [Realtime Authorization](/docs/guides/realtime/authorization?queryGroups=language&language=dart), can listen to and send messages. |
| 80 | + |
| 81 | +This settings page is under a feature preview and you can enable it [here](/dashboard/project/_?featurePreviewModal=supabase-ui-realtime-settings). Once the feature preview is enabled, you can configure this setting in the new [Realtime Settings page](/dashboard/project/_/realtime/settings). While you are there, you can also tune the connection pool size that Realtime uses and the maximum **concurrent clients.** |
| 82 | + |
| 83 | +## Security and Performance Advisors - Disable Specific Rules |
| 84 | + |
| 85 | +<Img |
| 86 | + src={{ |
| 87 | + dark: '/images/blog/launch-week-15/day-3-security-controls/security-advisor-rules-dark.png', |
| 88 | + light: '/images/blog/launch-week-15/day-3-security-controls/security-advisor-rules-light.png', |
| 89 | + }} |
| 90 | + alt="Security and Performance Advisors - Rules Overview" |
| 91 | +/> |
| 92 | + |
| 93 | +We received feedback from users that not all security and performance advisor rules apply to their project. Supabase powers everything from backend‑only APIs to full‑stack apps and some Security and Performance advisors may not be applicable for everyone. For example, the RLS Disabled in Public rule may not apply if you only access Supabase from a secure context like a web server. |
| 94 | + |
| 95 | +<Img |
| 96 | + src={{ |
| 97 | + dark: '/images/blog/launch-week-15/day-3-security-controls/security-advisor-individual-rule-dark.png', |
| 98 | + light: |
| 99 | + '/images/blog/launch-week-15/day-3-security-controls/security-advisor-individual-rule-light.png', |
| 100 | + }} |
| 101 | + alt="Security and Performance Advisors - Disable Rule" |
| 102 | +/> |
| 103 | + |
| 104 | +You can now customize Security Advisor rules and disable rules which are not relevant to your project. We will be extending rule customization to include rule assignment and more fine grained filtering. |
| 105 | + |
| 106 | +This is currently under a feature preview and you can enable it [here](/dashboard/project/_?featurePreviewModal=supabase-ui-advisor-rules). Once enabled, rules can be managed through the new [configuration section](/dashboard/project/_/advisors/rules/security). |
| 107 | + |
| 108 | +## What comes next? |
| 109 | + |
| 110 | +This release is the first building block in our security roadmap across the Supabase platform, including user auth, network isolation, compliance tooling, and automated remediation. |
| 111 | + |
| 112 | +Here’s what's in progress: |
| 113 | + |
| 114 | +**Stronger Authentication and Access Control** |
| 115 | + |
| 116 | +- **YubiKey and hardware key MFA support** to complement Time-based One-Time Password (TOTP) flow. |
| 117 | +- We have already announced that [project scoped roles](/docs/guides/platform/access-control#organization-scoped-roles-vs-project-scoped-roles) are [available on the Team plan](/changelog#project-scoped-roles), and now we are working to bring **custom roles** to our Enterprise plan. This will allow organizations to define custom, fine grained roles, limiting the actions and resources users have access to. |
| 118 | + |
| 119 | +**Security Enforcement** |
| 120 | + |
| 121 | +- **Assigning Security Advisories** to team members in your org. |
| 122 | +- Furthermore, we are extending our project scoped controls to allow **automatically enforcing compliance controls** on [sensitive projects](/docs/guides/platform/hipaa-projects). |
| 123 | +- Supporting **additional compliance standards**, alongside our existing [SOC 2](/docs/guides/security/soc-2-compliance) and [HIPAA](/docs/guides/security/hipaa-compliance) controls. |
| 124 | + |
| 125 | +**Enterprise Connectivity** |
| 126 | + |
| 127 | +- **Self-service SSO for Supabase Organizations:** Enterprise teams looking to enforce SSO sign-on will be able to self-serve via Supabase Dashboard and will no longer need to submit a support ticket. |
| 128 | +- [Supabase PrivateLink](/docs/guides/platform/privatelink) provides enterprise-grade private network connectivity between your AWS VPC and your Supabase database using AWS VPC Lattice. This is currently in Private Alpha and available to our Enterprise customers. |
| 129 | + |
| 130 | +Our goal is to provide you with the best suite of security tools you need to deploy your production apps on Supabase with confidence. |
0 commit comments