apps/www/_blog/2025-07-16-improved-security-controls.mdx
Today we are launching the foundations of several security features we plan to build on in the upcoming months.
Supabase offers a robust set of security controls, but discovering and configuring them can feel daunting. Our new security documentation brings everything into one place - from product features like Auth Rate Limits and Vault to step‑by‑step guides on building secure applications with Supabase (Row‑Level Security, hardening the Data API, the Production Checklist, and more).
We’ve also published dedicated SOC 2 and HIPAA guides that explain how to achieve these compliance standards on Supabase and answer common questions.
The first setting we are launching in the organization‑wide security settings page in the Dashboard is the ability to enforce Multi‑Factor Authentication (MFA) for every member of a Supabase Organization. Once enabled, all members must have MFA configured to access any project or resource in that org.
With MFA enforcement enabled, all members of your organization must use multi-factor authentication to access any project or resource. If a member hasn’t enabled MFA, they will immediately lose access until they do. New organization members will be able to accept invitations to an MFA enforced organization, but will not be able to interact with the organization until they have enabled MFA.
This setting is only available to Organization Owners, and the owner must have MFA enabled on their own account. We recommend setting up two separate MFA apps as a backup.
A few notes:
You can toggle on this setting in the new Security tab of your organization settings.
You can now set Realtime to use only private channels using Realtime Authorization. If you toggle off the Allow public access setting, no public channels can be created. Only clients authorized via Realtime Authorization, can listen to and send messages.
This settings page is under a feature preview and you can enable it here. Once the feature preview is enabled, you can configure this setting in the new Realtime Settings page. While you are there, you can also tune the connection pool size that Realtime uses and the maximum concurrent clients.
We received feedback from users that not all security and performance advisor rules apply to their project. Supabase powers everything from backend‑only APIs to full‑stack apps and some Security and Performance advisors may not be applicable for everyone. For example, the RLS Disabled in Public rule may not apply if you only access Supabase from a secure context like a web server.
You can now customize Security Advisor rules and disable rules which are not relevant to your project. We will be extending rule customization to include rule assignment and more fine grained filtering.
This is currently under a feature preview and you can enable it here. Once enabled, rules can be managed through the new configuration section.
This release is the first building block in our security roadmap across the Supabase platform, including user auth, network isolation, compliance tooling, and automated remediation.
Here’s what's in progress:
Stronger Authentication and Access Control
Security Enforcement
Enterprise Connectivity
Our goal is to provide you with the best suite of security tools you need to deploy your production apps on Supabase with confidence.