Canada Supabase security

Supabase security context for Canada

Canadian teams using Supabase need clear controls for personal information handling, especially around direct data access, breach readiness, and cross-team accountability.

Pricing / operational notes for Canada

Security work often includes recurring effort for privacy requests, breach response readiness, and evidence collection. Backend-only access plus repeatable checks reduces long-term remediation cost.

Regulatory considerations (high-level, sourced)

• PIPEDA (Personal Information Protection and Electronic Documents Act) — PIPEDA sets baseline private-sector rules for collecting, using, and disclosing personal information. Teams should implement safeguards against unauthorized access and maintain accountable processing practices. (source: https://laws-lois.justice.gc.ca/eng/acts/p-8.6/FullText.html)
• OPC guidance on PIPEDA obligations — The Office of the Privacy Commissioner explains practical obligations such as consent, safeguards, and accountability. Security controls should be demonstrable and aligned with stated privacy practices. (source: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/)

Local trends that shape risk

• B2B buyers increasingly request evidence of least-privilege data access and incident readiness before procurement.
• Teams are expected to show practical controls for breach response, not only policy documents.
• Privacy and engineering stakeholders are aligning on repeatable verification after schema and permission changes.

What to prioritize first in Canada (high leverage)

1. Block direct client access to sensitive data surfaces (tables, Storage, privileged RPC).
2. Make verification repeatable: one checklist you can run in dev/staging/prod.
3. Reduce policy complexity: prefer backend-only access for sensitive workflows.
4. Add monitoring and logs so you can respond quickly if something changes.

Practical checklist

1. Define which Supabase resources are backend-only and document why.
2. Revoke broad grants for anon and authenticated roles on sensitive tables.
3. Make sensitive Storage buckets private and generate signed URLs on the server only.
4. Review RPC EXECUTE permissions and remove public execution for privileged functions.
5. Add a direct-access verification test that must fail for client credentials.
6. Run the same checks in dev, staging, and production after every migration.
7. Capture evidence artifacts for audits: test results, change logs, and ownership notes.

How to use this Canada page during a review

1. Start with the local trends and identify which ones apply to your app and customers.
2. Pick one high-risk surface (tables/Storage/RPC) and run direct access tests to validate exposure.
3. Apply one template/conversion and repeat the same tests to prove the fix worked.
4. Capture evidence (what changed + what test proves it) and add a drift guard after migrations.

Evidence to keep for Canada (so reviews go faster)

• A short architecture note describing which operations are backend-only and why.
• A copy of the verification checklist you run after migrations and releases.
• A record of security-critical configuration changes (policies, grants, bucket settings, functions).
• Logs or monitoring signals that help you detect unexpected access patterns.

Baseline architecture that maps well to Canada expectations

If you want a posture that’s easy to explain in reviews, keep the architecture simple:

• Backend-only access for sensitive operations (tables/Storage/RPC).
• Short-lived signed URLs for private files generated on the server after authorization.
• Least privilege for client roles: no broad grants, minimal policies, deny-by-default where possible.
• Repeatable verification and drift checks after migrations.

Recommended reading (glossary terms)

• Row Level Security (RLS) → /glossary/row-level-security
• Public Table Exposure → /glossary/public-table-exposure
• Over-permissive RLS Policies → /glossary/over-permissive-rls-policies
• Supabase Storage Bucket Privacy → /glossary/supabase-storage-bucket-privacy
• RPC EXECUTE Grants → /glossary/rpc-execute-grants
• Signed URLs → /glossary/signed-urls
• Service Role Key → /glossary/service-role-key
• Forced RLS (FORCE ROW LEVEL SECURITY) → /glossary/force-row-level-security
• Client Role Grants (anon/authenticated) → /glossary/client-role-grants
• Ownership-bound RLS Policies → /glossary/ownership-bound-rls-policies
• Storage Object Enumeration → /glossary/storage-object-enumeration
• Public RPC Surface Area → /glossary/public-rpc-surface-area
• NEXT_PUBLIC Secret Leakage → /glossary/next-public-secret-leakage
• Broken Object Level Authorization (BOLA) → /glossary/broken-object-level-authorization
• Insecure Direct Object References (IDOR) → /glossary/insecure-direct-object-references
• Tenant ID Trusted from Client → /glossary/tenant-id-trust-in-client
• Missing WITH CHECK Policy → /glossary/missing-with-check-policy
• Broad SELECT for Authenticated Role → /glossary/broad-authenticated-select
• Broad UPDATE for Authenticated Role → /glossary/broad-authenticated-update
• Broad DELETE for Authenticated Role → /glossary/broad-authenticated-delete
• Default Privilege Drift → /glossary/default-privilege-drift
• Schema USAGE Granted to PUBLIC → /glossary/schema-usage-granted-to-public
• Exposed Materialized Views → /glossary/exposed-materialized-views
• Insecure SECURITY DEFINER Functions → /glossary/insecure-security-definer-functions
• Mutable Function search_path → /glossary/mutable-function-search-path
• Trigger Privilege Escalation → /glossary/trigger-privilege-escalation
• Migration Owner Bypass of RLS → /glossary/migration-owner-bypass
• Shadow Table Without RLS → /glossary/shadow-table-without-rls
• Audit Log Table Publicly Readable → /glossary/audit-log-public-readable
• Soft Delete Policy Bypass → /glossary/soft-delete-policy-bypass
• UPSERT Policy Gap → /glossary/upsert-policy-gap
• Cross-Schema Data Exposure → /glossary/cross-schema-exposure
• Unrestricted View Definitions → /glossary/unrestricted-view-definitions
• Leaked JWT Signing Secret → /glossary/leaked-jwt-secret
• Stale JWT Claims → /glossary/stale-jwt-claims
• Auth Role Claim Confusion → /glossary/auth-role-claim-confusion
• Magic Link Open Redirect → /glossary/magic-link-redirect-open-redirect
• Password Reset Token Leakage → /glossary/password-reset-token-leakage
• OAuth Role Mapping Errors → /glossary/oauth-role-mapping-errors
• SSO Group Sync Escalation → /glossary/sso-group-sync-escalation
• Invite Flow Tenant Escalation → /glossary/invite-flow-tenant-escalation
• Membership Race Condition → /glossary/membership-race-condition
• Admin Panel Client-Only Auth → /glossary/admin-panel-client-auth-only
• Database URL Leaked in Client → /glossary/leaked-database-url-in-client
• Secrets in Repository History → /glossary/secrets-in-repo-history
• Environment Parity Security Drift → /glossary/env-parity-security-drift
• Staging Database Public Exposure → /glossary/staging-db-public-exposure
• Test Data Left in Production → /glossary/test-data-in-production
• Unencrypted Sensitive Columns → /glossary/unencrypted-sensitive-columns
• Missing Key Rotation Policy → /glossary/key-rotation-policy-missing
• Service Role Overreach in Cron Jobs → /glossary/service-role-overreach-in-cron
• PII in Error Traces → /glossary/pii-in-error-traces
• PII in Analytics Events → /glossary/pii-in-analytics-events
• Missing Data Retention Policy → /glossary/data-retention-policy-missing
• Incomplete GDPR Delete Flow → /glossary/incomplete-gdpr-delete-flow
• No Exfiltration Anomaly Detection → /glossary/no-anomaly-detection-exfiltration
• Weak Tenant Isolation Tests → /glossary/weak-tenant-isolation-tests
• Policy Drift After Schema Rename → /glossary/policy-drift-after-schema-rename
• Orphaned Policies After Table Rename → /glossary/orphaned-policies-after-table-rename
• Generated Columns Leak Sensitive Data → /glossary/generated-columns-sensitive-leak
• View Without Security Barrier → /glossary/view-without-security-barrier
• Missing Column-Level Redaction → /glossary/column-level-redaction-missing
• Unrestricted PostgREST Origin Proxy → /glossary/unrestricted-postgrest-origin
• CORS Misconfiguration in Edge Functions → /glossary/cors-misconfiguration-edge-functions
• Missing Webhook Signature Validation → /glossary/missing-webhook-signature-validation
• Webhook Replay Attack Risk → /glossary/webhook-replay-attack-risk
• Billing Webhook Idempotency Gap → /glossary/billing-webhook-idempotency-gap
• Insecure Edge Function Authentication → /glossary/insecure-edge-function-auth
• Edge Function Service Role Overuse → /glossary/edge-function-service-role-overuse
• RPC Dynamic SQL Injection → /glossary/rpc-dynamic-sql-injection
• RPC Missing Input Validation → /glossary/rpc-missing-input-validation
• RPC Unbounded Result Sets → /glossary/rpc-unbounded-result-set
• RPC Error Message Data Leak → /glossary/rpc-error-data-leak
• Public Function Source Disclosure → /glossary/public-function-source-disclosure
• Overloaded RPC Signature Miss → /glossary/overloaded-rpc-signature-miss
• Unrestricted Admin Search Endpoint → /glossary/unrestricted-admin-search-endpoint
• Bulk Export Endpoint Overexposure → /glossary/bulk-export-endpoint-overexposure
• CSV Import Trusts Client Columns → /glossary/csv-import-trusts-client-columns
• Row Ownership Transfer Without Recheck → /glossary/row-ownership-transfer-without-recheck
• File Upload MIME Spoofing → /glossary/file-upload-mime-spoofing
• Storage Upload Size Abuse → /glossary/storage-upload-size-abuse
• Missing Malware Scanning on Uploads → /glossary/missing-malware-scanning-uploads
• Public Backup Bucket Leak → /glossary/public-backup-bucket-leak
• Expired Signed URL Caching Leak → /glossary/expired-signed-url-caching-leak
• Object Path Predictability Risk → /glossary/object-path-predictability-risk
• Storage Lifecycle Policy Missing → /glossary/storage-lifecycle-policy-missing
• Bucket LIST Permission Too Broad → /glossary/bucket-list-permission-too-broad
• Realtime Channel Authorization Gap → /glossary/realtime-channel-authorization-gap
• Realtime Presence Data Leak → /glossary/realtime-presence-data-leak
• Publication Includes Sensitive Tables → /glossary/publication-includes-sensitive-tables
• Replication Role Overgrant → /glossary/replication-role-overgrant
• Unbounded Pagination Enumeration → /glossary/unbounded-pagination-enumeration
• Guessable Primary Keys → /glossary/guessable-primary-keys
• Missing Rate Limits on Write Paths → /glossary/rate-limit-missing-on-write-paths
• Missing CAPTCHA on Sensitive Flows → /glossary/missing-captcha-sensitive-flows
• Insecure Feature Flag Disclosure → /glossary/insecure-feature-flag-disclosure
• No Two-Person Review for Privilege Changes → /glossary/no-two-person-review-privilege-changes
• Dependency Drift Misses Security Updates → /glossary/dependency-drift-security-updates-missed
• Private Key Material in Logs → /glossary/private-key-material-in-logs
• API Cache Leaks Private Data → /glossary/api-cache-private-data-leak
• Data API Public Schema Exposure → /glossary/data-api-public-schema-exposure
• Data API Custom Schema Misconfiguration → /glossary/data-api-custom-schema-misconfiguration
• pg_graphql Extension Exposure → /glossary/pg-graphql-extension-exposure
• Realtime Public Channel Mode → /glossary/realtime-public-channel-mode
• Realtime Topic Policy Mismatch → /glossary/realtime-topic-policy-mismatch
• Realtime Broadcast Overexposure → /glossary/realtime-broadcast-overexposure
• Edge Function JWT Verification Gap → /glossary/edge-function-jwt-verification-gap
• Service Role Authorization Header Override → /glossary/service-role-authorization-header-override
• Publishable vs Secret Key Scope Confusion → /glossary/publishable-secret-key-scope-confusion
• Missing Network Restrictions → /glossary/missing-network-restrictions
• IPv6 Allowlist Gap → /glossary/ipv6-allowlist-gap
• Default Function EXECUTE to PUBLIC → /glossary/default-function-execute-to-public
• Untrusted Language Function Risk → /glossary/untrusted-language-function-risk
• Storage Authenticated Endpoint Overtrust → /glossary/storage-authenticated-endpoint-overtrust

Recommended fixes (templates)

• Lock down a public table (backend-only access) → /templates/access-control/lock-down-public-table
• Make a bucket private + serve files with signed URLs → /templates/storage-safety/make-bucket-private-signed-urls
• Lock down RPC: revoke EXECUTE from public roles → /templates/rpc-functions/lock-down-rpc-execute

Common misconceptions to avoid in Canada

• “We removed the UI button so the data isn’t reachable.” (Attackers don’t use your UI.)
• “We have RLS policies, so we’re safe.” (RLS can be disabled, not forced, or too permissive.)
• “Files are just files.” (Public buckets can leak invoices, exports, and attachments.)
• “We’ll fix it later.” (Drift and forgotten grants/policies are common causes of leaks.)

A review checklist for Canada (fast, high-signal)

If you only have an hour, use this checklist to reduce the chance of missing the obvious:

1. Pick one sensitive table and confirm RLS is enabled/forced where relevant and that grants to client roles are not broad.
2. Pick one Storage bucket and confirm it is private and not listable; confirm signed URLs are server-generated and short-lived if used.
3. Pick one privileged RPC function and confirm public EXECUTE is revoked; confirm calls go through backend endpoints with auth checks.
4. Run one direct access test per surface (tables/Storage/RPC) and save the expected denial as evidence.
5. Write down boundary statements and add a drift guard after migrations.

This is not exhaustive — it’s the 80/20 that prevents “we thought it was safe” surprises.

Quick recap for Canada

The most robust baseline in any region is simple and verifiable:

• Treat the browser as untrusted for sensitive operations.
• Keep secrets server-only and avoid logging/persisting sensitive tokens or signed URLs.
• Remove direct client access to sensitive tables, private files, and privileged functions.
• Verify with direct access tests and keep a drift guard after migrations.

Use the regulations and local trends above to decide what to document and monitor more heavily for this location.