One particular example of this is that anonymous access, as hinted in the article, is turned on by default and it’s not straightforward to just disable it, it requires some in depth knowledge around how the Postgres security model works to do it correctly.
This is not a problem with Supabase.
For an in depth discussion of the type of issues I am referring to
> pushes very hard for RLS to increase adoption by non-technical users
We are tailoring what we're doing for this audience. The challenge is that they appeared out of nowhere about 6 months ago and the LLMs that are used by this audience is trained on 5 years of content tailored for developers
this is not an excuse, I'm just adding color. We've made a lot of changes with tools, alerts, email warnings etc. We are in planning-mode for changing defaults and working with the AI Builder platforms. We will likely change the schema configuration and advocate for Edge Functions (serverside Typescript) where appropriate.
I guess the training data has more demos of people doing it the wrong way than examples/blogs/articles about how to do it properly.
Speaking for myself, I remember a time when personal ("indy") projects had the reputation of being better cared for than big company products before online repositories were even a thing.
I had a Mac at the time so here's some from the top of my head that I remember being very popular: Quicksilver and LaunchBar, NetNewsWire, Coda and Transmit (anything from Panic, really), Growl, AudioHijack and Soundflower, Unarchiver, iA Writer... these were insanely well crafted apps with no real competition from big companies in that regard.
Apple infamously capitalized on this indy development phenomenon with the creation of the AppStore model in 2008, first on the iPhone and later on the Mac.
Outside of this ecosystem I can remember WinAmp, Total Commander, WinRar, 7-zip, VLC, Foobar, mIRC, Paint.NET, μTorrent, FileZilla, Reaper, SublimeText...
Macromedia was a medium sized company with huge global success for their size, and they had some of the best software out there at the time before their acquisition. Adobe immediately polluted it.
Thoughtful, ad-free, bloat free, passion-driven software with attention to detail, good design and great performance was an attribute of small independent teams, not big software companies.
Did it? I'm not so sure.
Just asking, because it sounded funky when I heard it at first.
They still execute on the server. Server and client code is never mixed in the same file, and there is a way to enforce at the build time that code destined for the server never accidentally gets pulled into the client bundles either.
See here for an overview. https://overreacted.io/what-does-use-client-do/#use-server
I think by default they have some sort of public schema which is the default schema and for which PostgREST is enabled. There may be a checkbox to change that during setup but it's not checked by default.
Instead, one should probably use a different schema for the actual tables and create views that define the public API in the public schema.
I just googled this and it seems to be even recommended in the PostgREST documentation itself: https://postgrest.org/en/v10/schema_structure.html#
Push out crap, hope it sells, leave the problem for someone else to figure out.
Make the minimum thing people will pay money for and hope that a bigger fish gobbles you up.
BaaS sounds cool but, for small apps, understanding and configuring RLS is a lot harder than writing a backend to expose only what you want.
In order to put something online and have it stay there, you must possess the will to dominate.
Internet citizenship isn't a right and it's something LLMs won't help you with.
If you can't fight then go back to Facebook where you belong.
> Internet citizenship isn't a right
> If you can't fight then go back to Facebook where you belong.
Respectfully, these phrases sound a bit toxic and elitist tbh.
Perhaps you meant that the net is a bit like the wild west, so one best bet mindful of the dangers?
As another commenter mentioned, don't complain your house was broken into if you didn't have locks on the doors.
> it's something LLMs won't help you with.
That phrase, however, is spot on.
Share your online service if you've got one. If you want, you can try and take down mine: https://ipv4.games/
wow great security advice, maybe add another pro tip like "look out the front window when you vibe drive your car".
1. Put anything that you don't want to be accessible by anon in a schema other than "public." This seems obvious, but the public schema is Supabase's default behavior. Supabase's official reply about this question is "I guess you can, but don't worry, RLS." However, security is an onion. Put up as many barricades as you can. If I was king of Supabase, I would err on the side of security.
2. Login to Supabase Studio, set your role to "anon" instead of "postgres" and click on every single table and view that should be private, and make sure there are no results.
Supabase could do a lot better about communicating this, and it would require no breaking changes unlike this disaster[0] which requires hacking your historic migrations!
> Supabase's official reply about this question is "I guess you can, but don't worry, RLS."
Here is a more representative view of our official reply:
https://supabase.com/docs/guides/database/hardening-data-api
To avoid both 1 and 2 I would suggest creating a `private` schema. We are now in the planning stages to make this the default
This is excellent news!
I apologize for my "disaster" wording. I had to eat some hours for that, and I am a bit salty. This was a tough thing technically for you guys, and it's likely more about future users. I get it. However, hacking my old migrations did feel very icky.
All that aside, I would like to genuinely thank your team for reading my reddit comment about my argument for MCP --read-only, and only a couple of days later coming back with ~"Yeah, that actually makes sense, we are doing it."
On HN, we are used to YC-funded CEOs chiming in sometimes, but you guys created a feature based on my rando reddit comment, because it made sense. That's an org I want to work with. I should have made my original comment more accurate about my feelings.
it was great feedback, thank you!
emrah•1d ago
grumpymuppet•1d ago
My understanding is the notion is about getting an application to "work" without any underlying theory of operation or evaluation of the imported context.
joshuanapoli•1d ago
aitchnyu•1d ago
dghlsakjg•1d ago
That said, all of the full fat frameworks make it pretty easy to define what should and shouldn't be visible to what users, the use case that he has would not have been harder to do using rails, phoenix, django, etc as a backend, and it would have been very easy to control the failures that he had.
jjani•1d ago
jjani•1d ago
TZubiri•1d ago
It has it's dangerous spots, and it's uncomfortable spots, but we pretty much know all about them already, and usage is heavily documented.
Or you can try ORM74 and hope it is faster and more secure than THE standard way. Gamble away.
Or maybe try Framework 74b which abstracts away the ORM
nottorp•1d ago
Pray tell, what is a good choice then?
.
.
... anything you already know yourself to secure so you can correct the "AI"
joshuanapoli•1d ago
I think that this is the answer. Maybe someone who is great with Postgres Row Level Security will have an OK time with Supabase security, even if they are vibe coding. They wouldn't think of asking the AI for something that won't work.
skydhash•1d ago