Lockdown database
Hey I want to lockdown my db as much as possible, so far I made a script:
- It begins by completely removing the pg_graphql extension and any objects that depend on it.
- It creates three new schemas if they don't already exist: api, extensions, and private.
- It revokes all permissions from public, authenticated, anon, service_role on schemas: public, extensions, private, graphql_public, and api.
- It then revokes all permissions on all existing tables, functions, and sequences within those same schemas for the same set of roles.
- It alters the default privileges for the same schemas.
- After removing all access, it selectively grants back one specific permission: it allows the authenticated and service_role roles USAGE on the api schema. For tables I need to grant permissions myself and I choose which columns specifically.
Are there more schemas I should revoke?
Are there other things I can do?
I saw a reply from Gary with a way to remove access to the schema design, this seems like a good idea to make the design a black box for people who dont develop? Of course locally where i run type generation I wont, just for prod. (https://github.com/orgs/supabase/discussions/12439)
Every suggestion is welcome!
Thanks!
- It begins by completely removing the pg_graphql extension and any objects that depend on it.
- It creates three new schemas if they don't already exist: api, extensions, and private.
- It revokes all permissions from public, authenticated, anon, service_role on schemas: public, extensions, private, graphql_public, and api.
- It then revokes all permissions on all existing tables, functions, and sequences within those same schemas for the same set of roles.
- It alters the default privileges for the same schemas.
- After removing all access, it selectively grants back one specific permission: it allows the authenticated and service_role roles USAGE on the api schema. For tables I need to grant permissions myself and I choose which columns specifically.
Are there more schemas I should revoke?
Are there other things I can do?
I saw a reply from Gary with a way to remove access to the schema design, this seems like a good idea to make the design a black box for people who dont develop? Of course locally where i run type generation I wont, just for prod. (https://github.com/orgs/supabase/discussions/12439)
Every suggestion is welcome!
Thanks!
GitHub
Hello guys, we are using Supabase in a NextJS application and we are very happy with it. All our tables are stored in the (default) public schema. For our server side code we initialize a client th...
