Files
supabase/apps/docs/content/guides/platform/postgres-connection-logging.mdx
Nik Richers d1f71464f1 docs(security): document log_connections=off default and re-enable path (#47199)
## I have read the CONTRIBUTING.md file.

YES

## What kind of change does this PR introduce?

- docs update

Closes DOCS-1080.

## What is the current behavior?

- Linear item:
[DOCS-1080](https://linear.app/supabase/issue/DOCS-1080/update-hipaa-and-security-docs-to-reflect-the-log-connectionsoff)
(parent: PSQL-1307)
- Docs do not mention that Postgres `log_connections` defaults to off
for new projects, or how customers re-enable it for HIPAA/SOC 2 audit
needs.
- No customer-facing how-to for the Management API `log_connections`
setting.

## What is the new behavior?

- New guide: "Postgres connection logging" — default behavior, dashboard
instructions, Management API curl examples, compliance notes.
- HIPAA shared-responsibility, HIPAA projects, SOC 2, HIPAA compliance
FAQ, logs guide, custom-postgres-config, and product-security updated
with cross-links.
- Platform nav entry added under **Platform → Postgres Connection
Logging**.

### Proof: new guide and cross-links render

**Verified:** `pnpm lint:mdx` (pass) · local dev (all changed pages 200)
· Vercel preview (new page 200)

| Check | Result |
|-------|--------|
| `pnpm lint:mdx` | pass (exit 0) |
| Preview new guide |
[200](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/platform/postgres-connection-logging)
|
| Preview HIPAA bullet |
[shared-responsibility-model#managing-healthcare-data](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/deployment/shared-responsibility-model#managing-healthcare-data)
|

**Quick review links:**

- [Postgres connection logging — New guide for the `log_connections=off`
default and re-enabling via dashboard and Management
API](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/platform/postgres-connection-logging)
- [Shared Responsibility Model — Managing healthcare data — Added
customer responsibility to keep connection logging
enabled](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/deployment/shared-responsibility-model#managing-healthcare-data)
- [HIPAA Projects — Added connection logging to required project
configuration](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/platform/hipaa-projects)

## Additional context

- **Before ready for review:** add dashboard screenshots once FE-3666
merges; add changelog cross-link when PSQL-1307 entry is published.
- CLI does not expose `log_connections`; how-to documents Management API
only until dashboard screenshots are added.

### Test plan

- [ ] Open [preview
guide](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/platform/postgres-connection-logging)
— default behavior, API examples, compliance sections present
- [ ] Confirm [HIPAA shared-responsibility
bullet](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/deployment/shared-responsibility-model#managing-healthcare-data)
links to the new guide
- [ ] Confirm Platform nav includes **Postgres Connection Logging**
- [ ] Spot-check Management API paths against
`/docs/reference/api/v1-update-postgres-config`
- [ ] After FE-3666: add Database Settings screenshots to the guide and
PR proof section

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Summary by CodeRabbit

* **Documentation**
* Added a full guide for enabling/disabling Postgres connection logging
(dashboard + Management API), including verification steps and examples.
* Clarified which Postgres parameters are Management API–only (CLI
limitations), with `log_connections` as an example.
* Updated HIPAA, SOC 2, and shared responsibility guidance to recommend
keeping Postgres connection logging enabled, plus added related
FAQ/resources.
* Expanded telemetry logs documentation with “Logging Postgres
connections” and Logs Explorer visibility notes.
* **UI / Navigation**
* Added the new “Postgres Connection Logging” entry to the Platform
configuration navigation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Nik Richers <nik@validmind.ai>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
2026-06-23 08:14:56 -07:00

80 lines
3.8 KiB
Plaintext

---
id: 'postgres-connection-logging'
title: 'Postgres connection logging'
description: 'Enable or disable Postgres connection logging for audit and compliance.'
---
For security monitoring and compliance audits, Postgres can log connection lifecycle events to your project's [Postgres logs](/docs/guides/telemetry/logs#postgres), including events such as `connection received`, `connection authenticated`, and `connection authorized`.
## Default behavior
By default, Supabase sets `log_connections` to off for new projects and you must enable it first. This behavior matches common managed Postgres defaults and reduces log volume from high-frequency connection events.
Existing projects may retain different settings depending on plan and compliance configuration:
- **Team, Enterprise, and HIPAA organizations** — Connection logging is typically enabled to support audit requirements.
- **HIPAA projects** — Supabase enables connection logging when a project is marked as high compliance. The [Security Advisor](/dashboard/project/_/advisors/security) warns if connection logging is later disabled.
## Compliance considerations
<Admonition type="note">
If you need connection audit evidence for SOC 2 or other compliance programs, you must enable it explicitly.
</Admonition>
Connection logging supports audit and monitoring controls required by some compliance programs:
- **HIPAA** — High-compliance projects should keep connection logging enabled. See the [shared responsibility model for healthcare data](/docs/guides/deployment/shared-responsibility-model#managing-healthcare-data) and [HIPAA compliance guide](/docs/guides/security/hipaa-compliance).
- **SOC 2** — Users who need connection audit evidence should enable logging and retain logs according to their own policies. See the [SOC 2 compliance guide](/docs/guides/security/soc-2-compliance).
Disabling connection logging does not affect other Supabase logging (for example, [Platform Audit Logs](/docs/guides/security/platform-audit-logs), [Auth Audit Logs](/docs/guides/auth/audit-logs), or [pgAudit](/docs/guides/telemetry/logs#configuring-pgauditlog)).
## Manage connection logging via the dashboard
You can configure connection logging from the **Log connections** setting in the [Database Settings](/dashboard/project/_/database/settings) section of the Dashboard.
Ensure that you have [Owner or Admin permissions](/docs/guides/platform/access-control#manage-team-members) for the project.
<Admonition type="note">
Connection events appear in Postgres logs. In the [Logs Explorer](/dashboard/project/_/logs-explorer), connection lifecycle messages may be hidden by default to reduce noise. Use the connection logs filter in the sidebar to show or hide them.
</Admonition>
## Manage connection logging via the Management API
You can also manage connection logging using the [Management API](/docs/reference/api/v1-update-postgres-config):
```bash
# Get your access token from https://supabase.com/dashboard/account/tokens
export SUPABASE_ACCESS_TOKEN="your-access-token"
export PROJECT_REF="your-project-ref"
# Get current Postgres config
curl -X GET "https://api.supabase.com/v1/projects/$PROJECT_REF/config/database/postgres" \
-H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN"
# Enable connection logging
curl -X PUT "https://api.supabase.com/v1/projects/$PROJECT_REF/config/database/postgres" \
-H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"log_connections": true
}'
# Disable connection logging
curl -X PUT "https://api.supabase.com/v1/projects/$PROJECT_REF/config/database/postgres" \
-H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"log_connections": false
}'
```
To verify the setting, use the SQL Editor:
```sql
show log_connections;
```