diff --git a/apps/docs/content/guides/platform/privatelink.mdx b/apps/docs/content/guides/platform/privatelink.mdx
index a20f129cdfef6..9cd13f475795a 100644
--- a/apps/docs/content/guides/platform/privatelink.mdx
+++ b/apps/docs/content/guides/platform/privatelink.mdx
@@ -35,33 +35,122 @@ To use PrivateLink with your Supabase project:
- AWS VPC in the same region as your Supabase project
- Appropriate permissions to accept Resource Shares, and create and manage endpoints
-
+## Getting started
-PrivateLink connections are region-specific. Your VPC and Supabase project must be in the same AWS region to establish the connection.
+#### Step 1: Contact Supabase support
-
+Reach out to your Enterprise account manager or [contact our team](https://supabase.com/contact/enterprise) to initiate PrivateLink setup. During this initial contact, be prepared to provide:
-## Getting started
+- Your Supabase organization slug
+- The specific projects you want to enable PrivateLink for (optional)
+- Your AWS Account ID(s)
+
+#### Step 2: Accept resource share
+
+Supabase will send you an AWS Resource Share containing the VPC Lattice Resource Configurations for your projects. To accept this share:
+
+1. Login to your AWS Management Console, ensure you are in the AWS region where your Supabase project is located
+2. Navigate to the AWS Resource Access Manager (RAM) console
+ {/* supa-mdx-lint-disable-next-line Rule004ExcludeWords */}
+3. Go to [Shared with me > Resource shares](https://console.aws.amazon.com/ram/home#SharedResourceShares)
+4. Locate the resource share from Supabase.
+ - The resource share will have the format `cust-prod-[region]-pl-[organisation]-rc-share`
+5. Click on the resource share name to view details. Review the list of resource shares - it should only include resources of type vpc-lattice:ResourceConfiguration.
+6. Click **Accept resource share**
+7. Confirm the acceptance in the dialog box
+
+{/* supa-mdx-lint-disable-next-line Rule004ExcludeWords */}
+After accepting, you'll see the resource configurations appear in your [Shared with me > Shared resources](https://console.aws.amazon.com/ram/home#SharedResources) section of the RAM console and the [PrivateLink and Lattice > Resource configurations](https://console.aws.amazon.com/vpcconsole/home#ResourceConfigs) section of the VPC console.
+
+#### Step 3: Configure security groups
+
+Ensure your security groups allow traffic on the appropriate ports:
+
+1. Navigate to the [VPC console > Security Groups](https://console.aws.amazon.com/vpcconsole/home#SecurityGroups:)
+2. Create a new security group for the endpoint or service network by clicking [Create security group](https://console.aws.amazon.com/vpcconsole/home#CreateSecurityGroup:)
+3. Give your security group a descriptive name and select the appropriate VPC
+4. Add an inbound rule for:
+ - Type: Postgres (TCP, port 5432)
+ - Destination that is appropriate for your network. i.e. the subnet of your VPC or security group of your application instances
+5. Finish creating the security group by clicking **Create security group**
+
+#### Step 4: Create connection
+
+In your AWS account, you have two options to establish connectivity:
+
+##### Option A: Create a PrivateLink endpoint
+
+1. Navigate to the VPC console in your AWS account
+2. Go to [Endpoints](https://console.aws.amazon.com/vpcconsole/home#Endpoints:) in the left sidebar
+3. Click [Create endpoint](https://console.aws.amazon.com/vpcconsole/home#CreateVpcEndpoint:)
+4. Give your endpoint a name (e.g. `supabase-privatelink-[project name]`)
+5. Under Type, select **Resources**
+6. In the **Resource configurations** section select the appropriate resource configuration
+ - The resource configuration name will be in the format `[organisation]-[project-ref]-rc`
+7. Select your VPC from the dropdown. This should match the VPC you selected for your security group in Step 3
+8. Enable the **Enable DNS name** option if you want to use a DNS record instead of the endpoints IP address(es)
+9. Choose the appropriate subnets for your network
+ - AWS will provision a private ENI for you in each selected subnet
+ - IP address type should be set to IPv4
+10. Choose the security group you created in Step 3.
+11. Click **Create endpoint**
+12. After creation, you will see the endpoint in the [Endpoints](https://console.aws.amazon.com/vpcconsole/home#Endpoints:) section with a status of "Available"
+13. For connectivity:
+ - The IP addresses of the endpoint will be listed in the **Subnets** section of the endpoint details
+ - The DNS record will be in the **Associations** section of the endpoint details in the **DNS Name** field if you enabled it in step 8
-PrivateLink setup requires coordination between your team and Supabase. The process involves sharing your AWS Account ID(s) and accepting a Resource Share.
+##### Option B: Attach resource configuration to an existing VPC lattice service network
-### Setup process
+1. **This method is only recommended if you have an existing VPC Lattice Service Network**
+2. Navigate to the VPC Lattice console in your AWS account
+3. Go to [Service networks](https://console.aws.amazon.com/vpcconsole/home#ServiceNetworks) in the left sidebar and select your service network
+4. In the service network details, go to the **Resource configuration associations** tab
+5. Click **Create associations**
+6. Select the appropriate **Resource configuration** from the dropdown
+7. Click **Save changes**
+8. After creation, you will see the resource configuration in the Resource configurations section of your service network with the status "Active"
+9. For connectivity, click on the association details and the domain name will be listed in the **DNS entries** section
-1. **Contact Supabase Support**: Reach out to your Enterprise account manager or [contact our team](https://supabase.com/contact/enterprise) to initiate PrivateLink setup
-2. **Provide AWS Account Details**: Share your AWS Account ID(s) with our team. Optionally specify which Supabase projects you want to enable (otherwise all projects in your organization will be included)
-3. **Accept Resource Share**: Supabase will send you an AWS Resource Share containing the VPC Lattice Resource Configurations for your projects. Accept this share from your AWS console
-4. **Create Connection**: In your AWS account, either [create a PrivateLink endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-resources.html) or [attach the Resource Configuration](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html) to an existing VPC Lattice Service Network
-5. **Test Connectivity**: Verify the private connection is working correctly from your VPC
-6. **Update Applications**: Configure your applications to use the private connection details
-7. **Disable Public Connectivity**: Optionally, disable public internet access for your database to enforce private-only connectivity
+#### Step 5: Test connectivity
-### DNS and connectivity
+Verify the private connection is working correctly from your VPC:
-Once PrivateLink is configured:
+1. Launch an EC2 instance or use an existing instance in your VPC
+2. Install a Postgres client (e.g., `psql`)
+3. Test the connection using the private endpoint:
-- You may configure a custom DNS record to point to your PrivateLink endpoint interface or the endpoints on.aws DNS record within your VPC
-- Applications will need to be updated to use the PrivateLink endpoint
-- Standard database monitoring and observability tools will continue to work through the private connection
+```bash
+psql "postgresql://[username]:[password]@[private-endpoint]:5432/postgres"
+```
+
+You should see a successful connection without any public internet traffic.
+
+#### Step 6: Update applications
+
+Configure your applications to use the private connection details:
+
+1. Update your database connection strings to use the private endpoint hostname
+2. Ensure your application instances are in the same VPC or connected VPCs
+3. Update any database connection pooling configurations
+4. Test application connectivity thoroughly
+
+Example connection string update:
+
+```
+# Before (public)
+postgresql://user:pass@db.[project-ref].supabase.co:5432/postgres
+
+# After (private)
+postgresql://user:pass@your-private-endpoint.vpce.amazonaws.com:5432/postgres
+```
+
+#### Step 8: Disable public connectivity (optional)
+
+For maximum security, you can disable public internet access for your database:
+
+1. Contact Supabase support to disable public connectivity
+2. Ensure all applications are successfully using the private connection
+3. Update any monitoring or backup tools to use the private endpoint
## Alpha limitations
@@ -72,20 +161,10 @@ During the alpha phase:
## Compatibility
-The PrivateLink endpoint behaves like a standard Postgres endpoint, allowing you to connect using:
+The PrivateLink endpoint is a layer 3 solution so behaves like a standard Postgres endpoint, allowing you to connect using:
- Direct Postgres connections using standard tools
- Third-party database tools and ORMs (with the appropriate routing)
-- (PgBouncer Projects Only) Directly to the pooler.
-
-## Use cases
-
-PrivateLink is ideal for organizations requiring:
-
-- **Regulatory Compliance**: Meeting strict data governance requirements that mandate private network connectivity
-- **Enhanced Security**: Eliminating public internet exposure for sensitive database workloads
-- **Corporate Policies**: Adhering to enterprise security policies that prohibit database connections over public networks
-- **Performance Optimization**: Benefiting from reduced latency through AWS's private network infrastructure
## Next steps
diff --git a/apps/www/_blog/2025-07-16-improved-security-controls.mdx b/apps/www/_blog/2025-07-16-improved-security-controls.mdx
new file mode 100644
index 0000000000000..47539eaaca456
--- /dev/null
+++ b/apps/www/_blog/2025-07-16-improved-security-controls.mdx
@@ -0,0 +1,130 @@
+---
+title: 'Improved Security Controls and A New Home for Security'
+description: 'Access to a new central security page and launch of additional controls.'
+categories:
+ - product
+ - launch-week
+tags:
+ - launch-week
+ - security
+ - realtime
+date: '2025-07-16:15:00'
+toc_depth: 3
+author: staaldraad,hieu,filipe
+image: launch-week-15/day-3-security-controls/og.jpg
+thumb: launch-week-15/day-3-security-controls/thumb.png
+launchweek: 15
+---
+
+Today we are launching the foundations of several security features we plan to build on in the upcoming months.
+
+- Centralized security docs
+- Organization‑wide security settings in the Dashboard
+
+## Centralized Security Docs
+
+Supabase offers a robust set of security controls, but discovering and configuring them can feel daunting. Our [new security documentation](/docs/guides/security) brings everything into one place - from product features like Auth Rate Limits and Vault to step‑by‑step guides on building secure applications with Supabase (Row‑Level Security, hardening the Data API, the Production Checklist, and more).
+
+We’ve also published dedicated [SOC 2](/docs/guides/security/soc-2-compliance) and [HIPAA](/docs/guides/security/hipaa-compliance) guides that explain how to achieve these compliance standards on Supabase and answer common questions.
+
+## Enforce MFA in Organization Security Settings
+
+
+
+The first setting we are launching in the organization‑wide security settings page in the Dashboard is the ability to enforce Multi‑Factor Authentication (MFA) for every member of a Supabase Organization. Once enabled, all members must have MFA configured to access any project or resource in that org.
+
+
+
+With MFA enforcement enabled, all members of your organization must use multi-factor authentication to access any project or resource. If a member hasn’t enabled MFA, they will immediately lose access until they do. New organization members will be able to accept invitations to an MFA enforced organization, but will not be able to interact with the organization until they have enabled MFA.
+
+This setting is only available to **Organization Owners**, and the owner must have MFA enabled on their own account. We recommend setting up **two separate MFA apps** as a backup.
+
+A few notes:
+
+- Only available on **Pro, Team, and Enterprise** plans.
+- **Personal Access Tokens** (**PATs**) are not affected by this setting.
+
+You can toggle on this setting in the new [**Security tab**](/dashboard/org/_/security) of your organization settings.
+
+
+
+## Supabase Realtime - Enable Private Channels Only
+
+
+
+You can now set Realtime to use only private channels using [Realtime Authorization](/docs/guides/realtime/authorization?queryGroups=language&language=dart). If you toggle off the `Allow public access` setting, no public channels can be created. Only clients authorized via [Realtime Authorization](/docs/guides/realtime/authorization?queryGroups=language&language=dart), can listen to and send messages.
+
+This settings page is under a feature preview and you can enable it [here](/dashboard/project/_?featurePreviewModal=supabase-ui-realtime-settings). Once the feature preview is enabled, you can configure this setting in the new [Realtime Settings page](/dashboard/project/_/realtime/settings). While you are there, you can also tune the connection pool size that Realtime uses and the maximum **concurrent clients.**
+
+## Security and Performance Advisors - Disable Specific Rules
+
+
+
+We received feedback from users that not all security and performance advisor rules apply to their project. Supabase powers everything from backend‑only APIs to full‑stack apps and some Security and Performance advisors may not be applicable for everyone. For example, the RLS Disabled in Public rule may not apply if you only access Supabase from a secure context like a web server.
+
+
+
+You can now customize Security Advisor rules and disable rules which are not relevant to your project. We will be extending rule customization to include rule assignment and more fine grained filtering.
+
+This is currently under a feature preview and you can enable it [here](/dashboard/project/_?featurePreviewModal=supabase-ui-advisor-rules). Once enabled, rules can be managed through the new [configuration section](/dashboard/project/_/advisors/rules/security).
+
+## What comes next?
+
+This release is the first building block in our security roadmap across the Supabase platform, including user auth, network isolation, compliance tooling, and automated remediation.
+
+Here’s what's in progress:
+
+**Stronger Authentication and Access Control**
+
+- **YubiKey and hardware key MFA support** to complement Time-based One-Time Password (TOTP) flow.
+- We have already announced that [project scoped roles](/docs/guides/platform/access-control#organization-scoped-roles-vs-project-scoped-roles) are [available on the Team plan](/changelog#project-scoped-roles), and now we are working to bring **custom roles** to our Enterprise plan. This will allow organizations to define custom, fine grained roles, limiting the actions and resources users have access to.
+
+**Security Enforcement**
+
+- **Assigning Security Advisories** to team members in your org.
+- Furthermore, we are extending our project scoped controls to allow **automatically enforcing compliance controls** on [sensitive projects](/docs/guides/platform/hipaa-projects).
+- Supporting **additional compliance standards**, alongside our existing [SOC 2](/docs/guides/security/soc-2-compliance) and [HIPAA](/docs/guides/security/hipaa-compliance) controls.
+
+**Enterprise Connectivity**
+
+- **Self-service SSO for Supabase Organizations:** Enterprise teams looking to enforce SSO sign-on will be able to self-serve via Supabase Dashboard and will no longer need to submit a support ticket.
+- [Supabase PrivateLink](/docs/guides/platform/privatelink) provides enterprise-grade private network connectivity between your AWS VPC and your Supabase database using AWS VPC Lattice. This is currently in Private Alpha and available to our Enterprise customers.
+
+Our goal is to provide you with the best suite of security tools you need to deploy your production apps on Supabase with confidence.
diff --git a/apps/www/components/LaunchWeek/15/data/lw15_build_stage.tsx b/apps/www/components/LaunchWeek/15/data/lw15_build_stage.tsx
index 9e554bb8bc2a7..d71ad6e95ec87 100644
--- a/apps/www/components/LaunchWeek/15/data/lw15_build_stage.tsx
+++ b/apps/www/components/LaunchWeek/15/data/lw15_build_stage.tsx
@@ -65,13 +65,13 @@ export const days: BuildDay[] = [
],
},
{
- title: '',
+ title: 'Improved Security Controls and A New Home for Security',
description: '',
- id: '',
- is_shipped: false,
+ id: 'security-homepage',
+ is_shipped: true,
links: [
{
- url: '/blog/',
+ url: '/blog/improved-security-controls',
label: 'Blog post',
target: '_blank',
},
diff --git a/apps/www/lib/authors.json b/apps/www/lib/authors.json
index eff2661fe8a6b..32a8ae9871e3a 100644
--- a/apps/www/lib/authors.json
+++ b/apps/www/lib/authors.json
@@ -645,5 +645,13 @@
"position": "Engineering",
"author_url": "https://github.com/jose-ledesma",
"author_image_url": "https://avatars.githubusercontent.com/u/52402874?v=4"
+ },
+ {
+ "author_id": "staaldraad",
+ "author": "Etienne Stalmans",
+ "username": "staaldraad",
+ "position": "Security Engineer",
+ "author_url": "https://github.com/staaldraad",
+ "author_image_url": "https://avatars.githubusercontent.com/u/4200832?v=4"
}
]
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-dark.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-dark.png
new file mode 100644
index 0000000000000..8929f08948127
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-dark.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-light.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-light.png
new file mode 100644
index 0000000000000..7f4c341aee78e
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-light.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-project-dark.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-project-dark.png
new file mode 100644
index 0000000000000..bbe0098a77f46
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-project-dark.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-project-light.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-project-light.png
new file mode 100644
index 0000000000000..f2ff8f211e75d
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/mfa-enforced-project-light.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/og.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/og.png
new file mode 100644
index 0000000000000..c4959f2fa1996
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/og.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/realtime-settings-dark.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/realtime-settings-dark.png
new file mode 100644
index 0000000000000..f6f80dc15fe4d
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/realtime-settings-dark.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/realtime-settings-light.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/realtime-settings-light.png
new file mode 100644
index 0000000000000..0516d126ff249
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/realtime-settings-light.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-individual-rule-dark.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-individual-rule-dark.png
new file mode 100644
index 0000000000000..455e56165aaef
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-individual-rule-dark.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-individual-rule-light.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-individual-rule-light.png
new file mode 100644
index 0000000000000..ba32d6a657b66
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-individual-rule-light.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-rules-dark.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-rules-dark.png
new file mode 100644
index 0000000000000..c1df16b8087c4
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-rules-dark.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-rules-light.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-rules-light.png
new file mode 100644
index 0000000000000..10cf2b4463276
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-advisor-rules-light.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-page-dark.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-page-dark.png
new file mode 100644
index 0000000000000..a00d89e8ec4cd
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-page-dark.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-page-light.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-page-light.png
new file mode 100644
index 0000000000000..756b4fc2a75c0
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/security-page-light.png differ
diff --git a/apps/www/public/images/blog/launch-week-15/day-3-security-controls/thumb.png b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/thumb.png
new file mode 100644
index 0000000000000..2d812ccd8ba3b
Binary files /dev/null and b/apps/www/public/images/blog/launch-week-15/day-3-security-controls/thumb.png differ
diff --git a/apps/www/public/rss.xml b/apps/www/public/rss.xml
index 5c999067e3ffe..9eef1433c4e4f 100644
--- a/apps/www/public/rss.xml
+++ b/apps/www/public/rss.xml
@@ -8,6 +8,13 @@
Wed, 16 Jul 2025 00:00:00 -0700
+ https://supabase.com/blog/improved-security-controls
+ Improved Security Controls and A New Home for Security
+ https://supabase.com/blog/improved-security-controls
+ Access to a new central security page and launch of additional controls.
+ Wed, 16 Jul 2025 00:00:00 -0700
+
+https://supabase.com/blog/branching-2-0Introducing Branching 2.0
https://supabase.com/blog/branching-2-0
diff --git a/supa-mdx-lint/Rule001HeadingCase.toml b/supa-mdx-lint/Rule001HeadingCase.toml
index 054d7f31a2dea..c5afd2925466a 100644
--- a/supa-mdx-lint/Rule001HeadingCase.toml
+++ b/supa-mdx-lint/Rule001HeadingCase.toml
@@ -4,6 +4,7 @@
# Can also specify a regex that is compatible with the [Rust regex crate](https://docs.rs/regex/latest/regex/).
may_uppercase = [
"[A-Z0-9]{2,5}s?",
+ "Option [A-Z]",
"APIs",
"Add-ons?",
"Amazon RDS",