Skip to main content
Manual tasks to complete in the Supabase Dashboard before or after going live. Use this checklist for both staging and production projects. Reference: Supabase Production Checklist.

Security

  • Network Restrictions — Restrict direct DB access to known IPs (Dashboard → Project → Database → Settings).
  • SSL Enforcement — Force encrypted connections (Dashboard → Project → Database → Settings).
  • Custom SMTP — Replace Supabase default with a production SMTP provider for auth emails — e.g. Microsoft 365 (aligns with the app’s Entra/Graph mail path) or Amazon SES (Dashboard → Project → Auth → SMTP).
  • MFA on Supabase org account — Protect the dashboard (Supabase account settings, not project).
  • Add multiple org owners — Ensure continuity if one admin loses access (Organization settings).
  • Review Realtime publications — Only enable replication on tables that need it (Dashboard → Database → Publications).
  • Disable public signup — Already enforced via config.toml (enable_signup = false); confirm in Auth settings.

Performance

  • Enable PITR — If DB is expected to exceed 4GB, enable Point-in-Time Recovery (Dashboard → Project → Settings → Add-ons).
  • Review indexes — Run Performance Advisor in Dashboard and apply recommended indexes if needed.
  • Load testing — Run k6 or similar on staging before launch.

Availability

  • Upgrade plan — Ensure Pro plan or higher for support access if required.
  • Subscribe to status pagestatus.supabase.com.

Config push (CLI)

Push hardened config.toml auth/session/rate-limit settings (optional; some options are Dashboard-only):
Note: The Supabase API may reject anonymous_users = 0 (use 1 in config) and does not support enabling MFA WebAuthn via config push; enable WebAuthn in Dashboard if required.

Project refs

  • Staging: bmkfpdhwmgawkfawplvo
  • Production: anuwknikgsijbameytzr