Hardening the Data API
Your database's automatically generated Data API exposes the public
schema by default. If your public
schema is used by other tools as a default space, you might want to lock down this schema. This helps prevent accidental exposure of data that's automatically added to public
.
There are two levels of security hardening for the Data API:
- Disabling the Data API entirely. This is recommended if you never need to access your database via Supabase client libraries or the REST and GraphQL endpoints.
- Removing the
public
schema from the Data API and replacing it with a custom schema (such asapi
).
Disabling the Data API
You can disable the Data API entirely if you never intend to use the Supabase client libraries or the REST and GraphQL data endpoints. For example, if you only access your database via a direct connection on the server, disabling the Data API gives you the greatest layer of protection.
- Go to API Settings in the Supabase Dashboard.
- Under Data API Settings, toggle Enable Data API off.
Exposing a custom schema instead of public
If you want to use the Data API but with increased security, you can expose a custom schema instead of public
. By not using public
, which is often used as a default space and has laxer default permissions, you get more conscious control over your exposed data.
Any data, views, or functions that should be exposed need to be deliberately put within your custom schema (which we will call api
), rather than ending up there by default.
Step 1: Remove public
from exposed schemas
- Go to API Settings in the Supabase Dashboard.
- Under Data API Settings, remove
public
from Exposed schemas. Also removepublic
from Extra search path. - Click Save.
- Go to Database Extensions and disable the
pg_graphql
extension.
Step 2: Create an api
schema and expose it
-
Connect to your database. You can use
psql
, the Supabase SQL Editor, or the Postgres client of your choice. -
Create a new schema named
api
:_10create schema if not exists api; -
Grant the
anon
andauthenticated
roles usage on this schema._10grant usage on schema api to anon, authenticated; -
Go to API Settings in the Supabase Dashboard.
-
Under Data API Settings, add
api
to Exposed schemas. Make sure it is the first schema in the list, so that it will be searched first by default. -
Under these new settings,
anon
andauthenticated
can execute functions defined in theapi
schema, but they have no automatic permissions on any tables. On a table-by-table basis, you can grant them permissions. For example:_10grant select on table api.<your_table> to anon;_10grant select, insert, update, delete on table api.<your_table> to authenticated;