Insecure system
Hey there,
I recently read that supabase is not great for security, for the following reasons:
- RLS is too complicated and easy to mess up - no guardrails
- People can infinitely query public data and fill up your egress quota in minutes
- Direct database access
- Service role key easily leaked by mistake in client bundles nuking the whole db
- SQL injection risk as it's not sanitised
What do you, as experts of supabase, think of this? We're wondering if we should migrate to another provider like Neon since we also handle payments and confidential data.
For some context, we're on next.js.
I recently read that supabase is not great for security, for the following reasons:
- RLS is too complicated and easy to mess up - no guardrails
- People can infinitely query public data and fill up your egress quota in minutes
- Direct database access
- Service role key easily leaked by mistake in client bundles nuking the whole db
- SQL injection risk as it's not sanitised
What do you, as experts of supabase, think of this? We're wondering if we should migrate to another provider like Neon since we also handle payments and confidential data.
For some context, we're on next.js.
