Australia Supabase security

Supabase security context for Australia

Australian Supabase teams often need auditable security boundaries that support Privacy Act obligations and practical breach response expectations.

Pricing / operational notes for Australia

Operational cost usually includes recurring privacy reviews, incident workflows, and evidence for customer trust. Standardized backend-only controls lower rework across releases.

Regulatory considerations (high-level, sourced)

• Privacy Act 1988 and Australian Privacy Principles — The Privacy Act and APPs establish private-sector privacy obligations. Teams should implement technical and organizational safeguards that reduce unauthorized access risk. (source: https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act)
• Notifiable Data Breaches (NDB) scheme — Covered entities must assess and notify eligible data breaches. Practical security controls and clear detection workflows improve response quality and reduce incident impact. (source: https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme)

Local trends that shape risk

• Organizations are prioritizing data breach preparedness and evidence-backed incident playbooks.
• Security reviews increasingly focus on technical proof that direct client access paths are constrained.
• Teams are moving toward repeatable least-privilege checks for grants, policies, and function execution.

What to prioritize first in Australia (high leverage)

1. Block direct client access to sensitive data surfaces (tables, Storage, privileged RPC).
2. Make verification repeatable: one checklist you can run in dev/staging/prod.
3. Reduce policy complexity: prefer backend-only access for sensitive workflows.
4. Add monitoring and logs so you can respond quickly if something changes.

Practical checklist

1. Treat browser-originating access to sensitive resources as untrusted by default.
2. Require server-side authorization for privileged table reads and writes.
3. Use private buckets and short-lived signed URLs for sensitive file distribution.
4. Audit role grants and function EXECUTE permissions every release cycle.
5. Log denied access events and investigate unusual patterns promptly.
6. Maintain an incident checklist tied to direct-access verification steps.
7. Re-run security checks after migrations that modify schema or auth flows.

How to use this Australia page during a review

1. Start with the local trends and identify which ones apply to your app and customers.
2. Pick one high-risk surface (tables/Storage/RPC) and run direct access tests to validate exposure.
3. Apply one template/conversion and repeat the same tests to prove the fix worked.
4. Capture evidence (what changed + what test proves it) and add a drift guard after migrations.

Evidence to keep for Australia (so reviews go faster)

• A short architecture note describing which operations are backend-only and why.
• A copy of the verification checklist you run after migrations and releases.
• A record of security-critical configuration changes (policies, grants, bucket settings, functions).
• Logs or monitoring signals that help you detect unexpected access patterns.

Baseline architecture that maps well to Australia expectations

If you want a posture that’s easy to explain in reviews, keep the architecture simple:

• Backend-only access for sensitive operations (tables/Storage/RPC).
• Short-lived signed URLs for private files generated on the server after authorization.
• Least privilege for client roles: no broad grants, minimal policies, deny-by-default where possible.
• Repeatable verification and drift checks after migrations.

Recommended reading (glossary terms)

• Row Level Security (RLS) → /glossary/row-level-security
• Public Table Exposure → /glossary/public-table-exposure
• Over-permissive RLS Policies → /glossary/over-permissive-rls-policies
• Supabase Storage Bucket Privacy → /glossary/supabase-storage-bucket-privacy
• RPC EXECUTE Grants → /glossary/rpc-execute-grants
• Signed URLs → /glossary/signed-urls
• Service Role Key → /glossary/service-role-key
• Forced RLS (FORCE ROW LEVEL SECURITY) → /glossary/force-row-level-security
• Client Role Grants (anon/authenticated) → /glossary/client-role-grants
• Ownership-bound RLS Policies → /glossary/ownership-bound-rls-policies
• Storage Object Enumeration → /glossary/storage-object-enumeration
• Public RPC Surface Area → /glossary/public-rpc-surface-area
• NEXT_PUBLIC Secret Leakage → /glossary/next-public-secret-leakage
• Broken Object Level Authorization (BOLA) → /glossary/broken-object-level-authorization
• Insecure Direct Object References (IDOR) → /glossary/insecure-direct-object-references
• Tenant ID Trusted from Client → /glossary/tenant-id-trust-in-client
• Missing WITH CHECK Policy → /glossary/missing-with-check-policy
• Broad SELECT for Authenticated Role → /glossary/broad-authenticated-select
• Broad UPDATE for Authenticated Role → /glossary/broad-authenticated-update
• Broad DELETE for Authenticated Role → /glossary/broad-authenticated-delete
• Default Privilege Drift → /glossary/default-privilege-drift
• Schema USAGE Granted to PUBLIC → /glossary/schema-usage-granted-to-public
• Exposed Materialized Views → /glossary/exposed-materialized-views
• Insecure SECURITY DEFINER Functions → /glossary/insecure-security-definer-functions
• Mutable Function search_path → /glossary/mutable-function-search-path
• Trigger Privilege Escalation → /glossary/trigger-privilege-escalation
• Migration Owner Bypass of RLS → /glossary/migration-owner-bypass
• Shadow Table Without RLS → /glossary/shadow-table-without-rls
• Audit Log Table Publicly Readable → /glossary/audit-log-public-readable
• Soft Delete Policy Bypass → /glossary/soft-delete-policy-bypass
• UPSERT Policy Gap → /glossary/upsert-policy-gap
• Cross-Schema Data Exposure → /glossary/cross-schema-exposure
• Unrestricted View Definitions → /glossary/unrestricted-view-definitions
• Leaked JWT Signing Secret → /glossary/leaked-jwt-secret
• Stale JWT Claims → /glossary/stale-jwt-claims
• Auth Role Claim Confusion → /glossary/auth-role-claim-confusion
• Magic Link Open Redirect → /glossary/magic-link-redirect-open-redirect
• Password Reset Token Leakage → /glossary/password-reset-token-leakage
• OAuth Role Mapping Errors → /glossary/oauth-role-mapping-errors
• SSO Group Sync Escalation → /glossary/sso-group-sync-escalation
• Invite Flow Tenant Escalation → /glossary/invite-flow-tenant-escalation
• Membership Race Condition → /glossary/membership-race-condition
• Admin Panel Client-Only Auth → /glossary/admin-panel-client-auth-only
• Database URL Leaked in Client → /glossary/leaked-database-url-in-client
• Secrets in Repository History → /glossary/secrets-in-repo-history
• Environment Parity Security Drift → /glossary/env-parity-security-drift
• Staging Database Public Exposure → /glossary/staging-db-public-exposure
• Test Data Left in Production → /glossary/test-data-in-production
• Unencrypted Sensitive Columns → /glossary/unencrypted-sensitive-columns
• Missing Key Rotation Policy → /glossary/key-rotation-policy-missing
• Service Role Overreach in Cron Jobs → /glossary/service-role-overreach-in-cron
• PII in Error Traces → /glossary/pii-in-error-traces
• PII in Analytics Events → /glossary/pii-in-analytics-events
• Missing Data Retention Policy → /glossary/data-retention-policy-missing
• Incomplete GDPR Delete Flow → /glossary/incomplete-gdpr-delete-flow
• No Exfiltration Anomaly Detection → /glossary/no-anomaly-detection-exfiltration
• Weak Tenant Isolation Tests → /glossary/weak-tenant-isolation-tests
• Policy Drift After Schema Rename → /glossary/policy-drift-after-schema-rename
• Orphaned Policies After Table Rename → /glossary/orphaned-policies-after-table-rename
• Generated Columns Leak Sensitive Data → /glossary/generated-columns-sensitive-leak
• View Without Security Barrier → /glossary/view-without-security-barrier
• Missing Column-Level Redaction → /glossary/column-level-redaction-missing
• Unrestricted PostgREST Origin Proxy → /glossary/unrestricted-postgrest-origin
• CORS Misconfiguration in Edge Functions → /glossary/cors-misconfiguration-edge-functions
• Missing Webhook Signature Validation → /glossary/missing-webhook-signature-validation
• Webhook Replay Attack Risk → /glossary/webhook-replay-attack-risk
• Billing Webhook Idempotency Gap → /glossary/billing-webhook-idempotency-gap
• Insecure Edge Function Authentication → /glossary/insecure-edge-function-auth
• Edge Function Service Role Overuse → /glossary/edge-function-service-role-overuse
• RPC Dynamic SQL Injection → /glossary/rpc-dynamic-sql-injection
• RPC Missing Input Validation → /glossary/rpc-missing-input-validation
• RPC Unbounded Result Sets → /glossary/rpc-unbounded-result-set
• RPC Error Message Data Leak → /glossary/rpc-error-data-leak
• Public Function Source Disclosure → /glossary/public-function-source-disclosure
• Overloaded RPC Signature Miss → /glossary/overloaded-rpc-signature-miss
• Unrestricted Admin Search Endpoint → /glossary/unrestricted-admin-search-endpoint
• Bulk Export Endpoint Overexposure → /glossary/bulk-export-endpoint-overexposure
• CSV Import Trusts Client Columns → /glossary/csv-import-trusts-client-columns
• Row Ownership Transfer Without Recheck → /glossary/row-ownership-transfer-without-recheck
• File Upload MIME Spoofing → /glossary/file-upload-mime-spoofing
• Storage Upload Size Abuse → /glossary/storage-upload-size-abuse
• Missing Malware Scanning on Uploads → /glossary/missing-malware-scanning-uploads
• Public Backup Bucket Leak → /glossary/public-backup-bucket-leak
• Expired Signed URL Caching Leak → /glossary/expired-signed-url-caching-leak
• Object Path Predictability Risk → /glossary/object-path-predictability-risk
• Storage Lifecycle Policy Missing → /glossary/storage-lifecycle-policy-missing
• Bucket LIST Permission Too Broad → /glossary/bucket-list-permission-too-broad
• Realtime Channel Authorization Gap → /glossary/realtime-channel-authorization-gap
• Realtime Presence Data Leak → /glossary/realtime-presence-data-leak
• Publication Includes Sensitive Tables → /glossary/publication-includes-sensitive-tables
• Replication Role Overgrant → /glossary/replication-role-overgrant
• Unbounded Pagination Enumeration → /glossary/unbounded-pagination-enumeration
• Guessable Primary Keys → /glossary/guessable-primary-keys
• Missing Rate Limits on Write Paths → /glossary/rate-limit-missing-on-write-paths
• Missing CAPTCHA on Sensitive Flows → /glossary/missing-captcha-sensitive-flows
• Insecure Feature Flag Disclosure → /glossary/insecure-feature-flag-disclosure
• No Two-Person Review for Privilege Changes → /glossary/no-two-person-review-privilege-changes
• Dependency Drift Misses Security Updates → /glossary/dependency-drift-security-updates-missed
• Private Key Material in Logs → /glossary/private-key-material-in-logs
• API Cache Leaks Private Data → /glossary/api-cache-private-data-leak
• Data API Public Schema Exposure → /glossary/data-api-public-schema-exposure
• Data API Custom Schema Misconfiguration → /glossary/data-api-custom-schema-misconfiguration
• pg_graphql Extension Exposure → /glossary/pg-graphql-extension-exposure
• Realtime Public Channel Mode → /glossary/realtime-public-channel-mode
• Realtime Topic Policy Mismatch → /glossary/realtime-topic-policy-mismatch
• Realtime Broadcast Overexposure → /glossary/realtime-broadcast-overexposure
• Edge Function JWT Verification Gap → /glossary/edge-function-jwt-verification-gap
• Service Role Authorization Header Override → /glossary/service-role-authorization-header-override
• Publishable vs Secret Key Scope Confusion → /glossary/publishable-secret-key-scope-confusion
• Missing Network Restrictions → /glossary/missing-network-restrictions
• IPv6 Allowlist Gap → /glossary/ipv6-allowlist-gap
• Default Function EXECUTE to PUBLIC → /glossary/default-function-execute-to-public
• Untrusted Language Function Risk → /glossary/untrusted-language-function-risk
• Storage Authenticated Endpoint Overtrust → /glossary/storage-authenticated-endpoint-overtrust

Recommended fixes (templates)

• Lock down a public table (backend-only access) → /templates/access-control/lock-down-public-table
• Make a bucket private + serve files with signed URLs → /templates/storage-safety/make-bucket-private-signed-urls
• Lock down RPC: revoke EXECUTE from public roles → /templates/rpc-functions/lock-down-rpc-execute

Common misconceptions to avoid in Australia

• “We removed the UI button so the data isn’t reachable.” (Attackers don’t use your UI.)
• “We have RLS policies, so we’re safe.” (RLS can be disabled, not forced, or too permissive.)
• “Files are just files.” (Public buckets can leak invoices, exports, and attachments.)
• “We’ll fix it later.” (Drift and forgotten grants/policies are common causes of leaks.)

A review checklist for Australia (fast, high-signal)

If you only have an hour, use this checklist to reduce the chance of missing the obvious:

1. Pick one sensitive table and confirm RLS is enabled/forced where relevant and that grants to client roles are not broad.
2. Pick one Storage bucket and confirm it is private and not listable; confirm signed URLs are server-generated and short-lived if used.
3. Pick one privileged RPC function and confirm public EXECUTE is revoked; confirm calls go through backend endpoints with auth checks.
4. Run one direct access test per surface (tables/Storage/RPC) and save the expected denial as evidence.
5. Write down boundary statements and add a drift guard after migrations.

This is not exhaustive — it’s the 80/20 that prevents “we thought it was safe” surprises.

Quick recap for Australia

The most robust baseline in any region is simple and verifiable:

• Treat the browser as untrusted for sensitive operations.
• Keep secrets server-only and avoid logging/persisting sensitive tokens or signed URLs.
• Remove direct client access to sensitive tables, private files, and privileged functions.
• Verify with direct access tests and keep a drift guard after migrations.

Use the regulations and local trends above to decide what to document and monitor more heavily for this location.