Files
supabase/apps/docs/content/guides/database/secure-data.mdx
Charis 161ba3da32 docs: document more ways to secure the data api (#27756)
Document ways to increase the security of Data API, including:

- Disabling it entirely
- Exposing a custom schema instead of the `public` schema

Also found a duplicated link in the nav for CLS, so removed it.
2024-07-03 12:32:16 +00:00

34 lines
2.0 KiB
Plaintext

---
id: 'securing-your-data'
title: 'Securing your data'
---
Supabase helps you control access to your data. With access policies, you can protect sensitive data and make sure users only access what they're allowed to see.
## Connecting your app securely
Supabase allows you to access your database using the auto-generated [Data APIs](/docs/guides/database/connecting-to-postgres#data-apis). This speeds up the process of building web apps, since you don't need to write your own backend services to pass database queries and results back and forth.
You can keep your data secure while accessing the Data APIs from the frontend, so long as you:
- Turn on [Row Level Security](/docs/guides/database/postgres/row-level-security) (RLS) for your tables
- Use your Supabase **anon key** when you create a Supabase client
Your anon key is safe to expose with RLS enabled, because row access permission is checked against your access policies and the user's [JSON Web Token (JWT)](/docs/learn/auth-deep-dive/auth-deep-dive-jwts). The JWT is automatically sent by the Supabase client libraries if the user is logged in using Supabase Auth.
<Admonition type="danger" label="Never expose your service role key on the frontend">
Unlike your anon key, your **service role key** is **never** safe to expose because it bypasses RLS. Only use your service role key on the backend. Treat it as a secret (for example, import it as a sensitive environment variable instead of hardcoding it).
</Admonition>
## More information
Supabase and Postgres provide you with multiple ways to manage security, including but not limited to Row Level Security. See the Access and Security pages for more information:
- [Row Level Security](/docs/guides/database/postgres/row-level-security)
- [Column Level Security](/docs/guides/database/postgres/column-level-security)
- [Hardening the Data API](/docs/guides/database/hardening-data-api)
- [Managing Postgres roles](/docs/guides/database/postgres/roles)
- [Managing secrets with Vault](/docs/guides/database/vault)