mirror of
https://github.com/supabase/supabase.git
synced 2026-07-01 19:54:20 +08:00
## I have read the CONTRIBUTING.md file. YES ## What kind of change does this PR introduce? - docs update Closes DOCS-1080. ## What is the current behavior? - Linear item: [DOCS-1080](https://linear.app/supabase/issue/DOCS-1080/update-hipaa-and-security-docs-to-reflect-the-log-connectionsoff) (parent: PSQL-1307) - Docs do not mention that Postgres `log_connections` defaults to off for new projects, or how customers re-enable it for HIPAA/SOC 2 audit needs. - No customer-facing how-to for the Management API `log_connections` setting. ## What is the new behavior? - New guide: "Postgres connection logging" — default behavior, dashboard instructions, Management API curl examples, compliance notes. - HIPAA shared-responsibility, HIPAA projects, SOC 2, HIPAA compliance FAQ, logs guide, custom-postgres-config, and product-security updated with cross-links. - Platform nav entry added under **Platform → Postgres Connection Logging**. ### Proof: new guide and cross-links render **Verified:** `pnpm lint:mdx` (pass) · local dev (all changed pages 200) · Vercel preview (new page 200) | Check | Result | |-------|--------| | `pnpm lint:mdx` | pass (exit 0) | | Preview new guide | [200](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/platform/postgres-connection-logging) | | Preview HIPAA bullet | [shared-responsibility-model#managing-healthcare-data](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/deployment/shared-responsibility-model#managing-healthcare-data) | **Quick review links:** - [Postgres connection logging — New guide for the `log_connections=off` default and re-enabling via dashboard and Management API](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/platform/postgres-connection-logging) - [Shared Responsibility Model — Managing healthcare data — Added customer responsibility to keep connection logging enabled](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/deployment/shared-responsibility-model#managing-healthcare-data) - [HIPAA Projects — Added connection logging to required project configuration](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/platform/hipaa-projects) ## Additional context - **Before ready for review:** add dashboard screenshots once FE-3666 merges; add changelog cross-link when PSQL-1307 entry is published. - CLI does not expose `log_connections`; how-to documents Management API only until dashboard screenshots are added. ### Test plan - [ ] Open [preview guide](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/platform/postgres-connection-logging) — default behavior, API examples, compliance sections present - [ ] Confirm [HIPAA shared-responsibility bullet](https://docs-git-nikrichers-docs-1080-update-hipaa-and-e3b13d-supabase.vercel.app/docs/guides/deployment/shared-responsibility-model#managing-healthcare-data) links to the new guide - [ ] Confirm Platform nav includes **Postgres Connection Logging** - [ ] Spot-check Management API paths against `/docs/reference/api/v1-update-postgres-config` - [ ] After FE-3666: add Database Settings screenshots to the guide and PR proof section <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Summary by CodeRabbit * **Documentation** * Added a full guide for enabling/disabling Postgres connection logging (dashboard + Management API), including verification steps and examples. * Clarified which Postgres parameters are Management API–only (CLI limitations), with `log_connections` as an example. * Updated HIPAA, SOC 2, and shared responsibility guidance to recommend keeping Postgres connection logging enabled, plus added related FAQ/resources. * Expanded telemetry logs documentation with “Logging Postgres connections” and Logs Explorer visibility notes. * **UI / Navigation** * Added the new “Postgres Connection Logging” entry to the Platform configuration navigation. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Nik Richers <nik@validmind.ai> Co-authored-by: Chris Chinchilla <chris.ward@supabase.io> Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
80 lines
3.8 KiB
Plaintext
80 lines
3.8 KiB
Plaintext
---
|
|
id: 'postgres-connection-logging'
|
|
title: 'Postgres connection logging'
|
|
description: 'Enable or disable Postgres connection logging for audit and compliance.'
|
|
---
|
|
|
|
For security monitoring and compliance audits, Postgres can log connection lifecycle events to your project's [Postgres logs](/docs/guides/telemetry/logs#postgres), including events such as `connection received`, `connection authenticated`, and `connection authorized`.
|
|
|
|
## Default behavior
|
|
|
|
By default, Supabase sets `log_connections` to off for new projects and you must enable it first. This behavior matches common managed Postgres defaults and reduces log volume from high-frequency connection events.
|
|
|
|
Existing projects may retain different settings depending on plan and compliance configuration:
|
|
|
|
- **Team, Enterprise, and HIPAA organizations** — Connection logging is typically enabled to support audit requirements.
|
|
- **HIPAA projects** — Supabase enables connection logging when a project is marked as high compliance. The [Security Advisor](/dashboard/project/_/advisors/security) warns if connection logging is later disabled.
|
|
|
|
## Compliance considerations
|
|
|
|
<Admonition type="note">
|
|
|
|
If you need connection audit evidence for SOC 2 or other compliance programs, you must enable it explicitly.
|
|
|
|
</Admonition>
|
|
|
|
Connection logging supports audit and monitoring controls required by some compliance programs:
|
|
|
|
- **HIPAA** — High-compliance projects should keep connection logging enabled. See the [shared responsibility model for healthcare data](/docs/guides/deployment/shared-responsibility-model#managing-healthcare-data) and [HIPAA compliance guide](/docs/guides/security/hipaa-compliance).
|
|
- **SOC 2** — Users who need connection audit evidence should enable logging and retain logs according to their own policies. See the [SOC 2 compliance guide](/docs/guides/security/soc-2-compliance).
|
|
|
|
Disabling connection logging does not affect other Supabase logging (for example, [Platform Audit Logs](/docs/guides/security/platform-audit-logs), [Auth Audit Logs](/docs/guides/auth/audit-logs), or [pgAudit](/docs/guides/telemetry/logs#configuring-pgauditlog)).
|
|
|
|
## Manage connection logging via the dashboard
|
|
|
|
You can configure connection logging from the **Log connections** setting in the [Database Settings](/dashboard/project/_/database/settings) section of the Dashboard.
|
|
|
|
Ensure that you have [Owner or Admin permissions](/docs/guides/platform/access-control#manage-team-members) for the project.
|
|
|
|
<Admonition type="note">
|
|
|
|
Connection events appear in Postgres logs. In the [Logs Explorer](/dashboard/project/_/logs-explorer), connection lifecycle messages may be hidden by default to reduce noise. Use the connection logs filter in the sidebar to show or hide them.
|
|
|
|
</Admonition>
|
|
|
|
## Manage connection logging via the Management API
|
|
|
|
You can also manage connection logging using the [Management API](/docs/reference/api/v1-update-postgres-config):
|
|
|
|
```bash
|
|
# Get your access token from https://supabase.com/dashboard/account/tokens
|
|
export SUPABASE_ACCESS_TOKEN="your-access-token"
|
|
export PROJECT_REF="your-project-ref"
|
|
|
|
# Get current Postgres config
|
|
curl -X GET "https://api.supabase.com/v1/projects/$PROJECT_REF/config/database/postgres" \
|
|
-H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN"
|
|
|
|
# Enable connection logging
|
|
curl -X PUT "https://api.supabase.com/v1/projects/$PROJECT_REF/config/database/postgres" \
|
|
-H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{
|
|
"log_connections": true
|
|
}'
|
|
|
|
# Disable connection logging
|
|
curl -X PUT "https://api.supabase.com/v1/projects/$PROJECT_REF/config/database/postgres" \
|
|
-H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d '{
|
|
"log_connections": false
|
|
}'
|
|
```
|
|
|
|
To verify the setting, use the SQL Editor:
|
|
|
|
```sql
|
|
show log_connections;
|
|
```
|