Where database blog posts get flame-broiled to perfection
Alright, let's pull up a chair. I've got my coffee, my blood pressure medication, and an article that seems to have been written by someone who thinks a firewall is a decorative mantelpiece.
"Use Supabase as a platform for your own business and tools."
Oh, that's precious. Truly. You want me to build a house on top of a Jenga tower that's already sitting on a unicycle. What could possibly go wrong? This isn't a "platform," it's platform-ception. You're not just inheriting Supabase's potential vulnerabilities; you're inviting people to build their own insecure spaghetti code on top of your insecure spaghetti code, all hosted on a service that you fundamentally do not control.
Let's break down this masterpiece of misplaced optimism. So you're going to spin up a Supabase project and then resell it as a service? Fantastic. You're not just a company anymore; you're a cloud provider. Congratulations on your promotion. I hope you've budgeted for a 24/7 incident response team, because you're gonna need it.
You're offering a multi-tenant service, are you? On top of Postgres. I hope—and I mean this with every fiber of my being—that your understanding of Row Level Security is god-tier. Because one slightly misconfigured policy, one USING (true) where there should have been a tenant_id = auth.uid(), and suddenly every single one of your customers is reading every other customer's "private" data. It’s not a data breach, it's an unsolicited data-sharing social event. It's a feature!
And what about your tenants? The businesses you're hosting? Are you letting them run their own code? You're talking about building "tools," after all. Are we talking about Supabase Edge Functions? Oh, lovely. So now I have to worry about your dependencies, Supabase's dependencies, and now every single un-audited npm package your customer, "Dave's Discount Dog-Walking Co.", decides to npm install. It's a supply chain attack Matryoshka doll. One malicious package in one of your tenants' functions, and they could be probing your entire internal network, or worse, using that shared Postgres instance to try and escalate privileges.
"Supabase is just Postgres."
You say that like it's a comfort. Postgres is a powerful, complex, and glorious database. In the hands of a seasoned DBA, it's a scalpel. In the hands of a startup that just read your blog post, it's a rusty, gas-powered chainsaw with no safety guard. They'll be enabling extensions that haven't been updated since 2017, writing plpgsql functions that are just screaming for a SQL injection, and using pg_cron to run a script that accidentally DROPs the auth.users table every Tuesday.
Let's talk about the "magic" of it all. The auto-generated APIs. Supabase sees a table, and poof, you have a RESTful endpoint for it. Every column, every table, suddenly exposed to the world, protected only by that RLS policy you probably forgot to write. Every new feature you add to your "platform" is a new set of endpoints, a new expansion of the attack surface. It's not a feature, it's a CVE buffet, and everyone's invited.
I can just see the SOC 2 audit now. Auditor: "So, can you show me the physical access controls for the server hosting Customer X's data?" You: "Uhh, I can send you a link to Supabase's security page?" Auditor: "And your data segregation controls? How do you guarantee that a process from Tenant A cannot access memory or resources from Tenant B?" You: "...Row Level Security?" Auditor: (Takes a long, slow sip of cold coffee and quietly closes their laptop)
You're not building a business; you're building a shared responsibility model nightmare where you've accepted all the responsibility and have none of the control. You're on the hook for GDPR, CCPA, maybe even HIPAA, and your entire infrastructure is a black box that you pay for monthly. Good luck explaining that to the regulators.
Honestly, this whole trend... treating databases like they're just disposable JSON buckets with a bit of SQL sprinkled on top. It's why I'm so tired. You've abstracted away the difficulty, and with it, you've abstracted away the understanding of the risk. So go on, build your platform on a platform. I'll be here, waiting for the inevitable post-mortem on Hacker News. I'll even bring the popcorn.