Securing your API
The data APIs are designed to work with Postgres Row Level Security (RLS). If you use Supabase Auth, you can restrict data based on the logged-in user.
To control access to your data, you can use Policies.
Enabling row level security
Any table you create in the public schema will be accessible via the Supabase Data API.
To restrict access, enable Row Level Security (RLS) on all tables, views, and functions in the public schema. You can then write RLS policies to grant users access to specific database rows or functions based on their authentication token.
Always enable Row Level Security on tables, views, and functions in the public schema to protect your data.
Any table created through the Supabase Dashboard will have RLS enabled by default. If you created the tables via the SQL editor or via another way, enable RLS like so:
With RLS enabled, you can create Policies that allow or disallow users to access and update data. We provide a detailed guide for creating Row Level Security Policies in our Authorization documentation.
Any table without RLS enabled in the public schema will be accessible to the public, using the anon role. Always make sure that RLS is enabled or that you've got other security measures in place to avoid unauthorized access to your project's data!
Safeguards towards accidental deletes and updates
By default, all projects have the safeupdate Postgres extension enabled for API queries. This ensures that delete() and update() requests will fail if there are no filters provided.
To confirm that safeupdate is enabled for API queries, run the following query:
_10select_10 usename,_10 useconfig_10from pg_shadow_10where usename = 'authenticator';
The expected value for useconfig should be:
_10;['session_preload_libraries=supautils, safeupdate']
Enforce additional rules on each request
Using Row Level Security policies may not always be adequate or sufficient to protect APIs.
Here are some common situations where additional protections are necessary:
- Enforcing per-IP or per-user rate limits.
- Checking custom or additional API keys before allowing further access.
- Rejecting requests after exceeding a quota or requiring payment.
- Disallowing direct access to certain tables, views or functions in the
publicschema.
You can build these cases in your application by creating a Postgres function that will read information from the request and perform additional checks, such as counting the number of requests received or checking that an API key is already registered in your database before serving the response.
Define a function like so:
_10create function public.check_request()_10 returns void_10 language plpgsql_10 security definer_10 as $$_10begin_10 -- your logic here_10end;_10$$;
And register it to run on every Data API request using:
_10alter role authenticator_10 set pgrst.db_pre_request = 'public.check_request';
This configures the public.check_request function to run on every Data API request. To have the changes take effect, you should run:
_10notify pgrst, 'reload config';
Inside the function you can perform any additional checks on the request headers or JWT and raise an exception to prevent the request from completing. For example, this exception raises a HTTP 402 Payment Required response with a hint and additional X-Powered-By header:
_10raise sqlstate 'PGRST' using_10 message = json_build_object(_10 'code', '123',_10 'message', 'Payment Required',_10 'details', 'Quota exceeded',_10 'hint', 'Upgrade your plan')::text,_10 detail = json_build_object(_10 'status', 402,_10 'headers', json_build_object(_10 'X-Powered-By', 'Nerd Rage'))::text;
When raised within the public.check_request function, the resulting HTTP response will look like:
_10HTTP/1.1 402 Payment Required_10Content-Type: application/json; charset=utf-8_10X-Powered-By: Nerd Rage_10_10{_10 "message": "Payment Required",_10 "details": "Quota exceeded",_10 "hint": "Upgrade your plan",_10 "code": "123"_10}
Use the JSON operator functions to build rich and dynamic responses from exceptions.
If you use a custom HTTP status code like 419, you can supply the status_text key in the detail clause of the exception to describe the HTTP status.
If you're using PostgREST version 11 or lower (find out your PostgREST version) a different and less powerful syntax needs to be used.
Accessing request information
Like with RLS policies, you can access information about the request by using the current_setting() Postgres function. Here are some examples on how this works:
_10-- To get all the headers sent in the request_10SELECT current_setting('request.headers', true)::json;_10_10-- To get a single header, you can use JSON arrow operators_10SELECT current_setting('request.headers', true)::json->>'user-agent';_10_10-- Access Cookies_10SELECT current_setting('request.cookies', true)::json;
current_setting() | Example | Description |
|---|---|---|
request.method | GET, HEAD, POST, PUT, PATCH, DELETE | Request's method |
request.path | table | Table's path |
request.path | view | View's path |
request.path | rpc/function | Functions's path |
request.headers | { "User-Agent": "...", ... } | JSON object of the request's headers |
request.cookies | { "cookieA": "...", "cookieB": "..." } | JSON object of the request's cookies |
request.jwt | { "sub": "a7194ea3-...", ... } | JSON object of the JWT payload |
To access the IP address of the client look up the X-Forwarded-For header in the request.headers setting. For example:
_10SELECT split_part(_10 current_setting('request.headers', true)::json->>'x-forwarded-for',_10 ',', 1); -- takes the client IP before the first comma (,)
Read more about PostgREST's pre-request function.