Supabase Security Retro: 2025

In 2025, Supabase implemented numerous security enhancements focusing on safer defaults and improved tooling, such as enabling Postgres Row Level Security (RLS) by default for new tables and introducing a new API key system with asymmetric JWTs for enhanced security. These updates included automatic revocation of leaked keys detected via GitHub, clear warnings for tables without RLS, and a Security Advisor to identify misconfigurations. Looking ahead to 2026, Supabase plans further improvements, including UI controls for API access, enhanced security alerts, and integration with tools like OpenFGA for finer-grained permissions. The ongoing vulnerability disclosure program via HackerOne will expand to include paid bounties, and there will be continued efforts to integrate security checks into developers' workflows with tools like the dashboard Assistant. Additionally, stricter default security settings and options for hardened project configurations will be made available, alongside measures to restrict database access and reduce attack surfaces, such as disabling pg_graphql by default on new projects.