Do you actually need to add cloudflare to protect your supabase-nordcraft project?

ssssadsadasd · 2025-06-03T13:59:50.778+00:00

So, I was trying to implement cloudflare to protect my supabase database from attacks. I am especially concerned about attack to read events as most of create/edit/delete are done via edge functions and there I can implement sth like [this](https://www.youtube.com/watch?v=c_vVyLTz76g&ab_channel=JayCampbell).however, the thing is that if the supabase url and apikey are basically public, then anyone can ddos the direct database url from outside the site (even if I have RLS, they can call the same data over and over again). so, does it make any sense having cloudflare? thanks

ssssadsadasd
8 months ago
So, I was trying to implement cloudflare to protect my supabase database from attacks. I am especially concerned about attack to read events as most of create/edit/delete are done via edge functions and there I can implement sth like [this](https://www.youtube.com/watch?v=c_vVyLTz76g&ab_channel=JayCampbell).
however, the thing is that if the supabase url and apikey are basically public, then anyone can ddos the direct database url from outside the site (even if I have RLS, they can call the same data over and over again).

so, does it make any sense having cloudflare? thanks
✅1
Lucas G
8 months ago
There are different layers to this
How come you're using edge functions instead of the main REST/SDK?
Edge functions shouldn't be used for most CRUD operations imo, it's an unnecessary layer to go through
Lucas G
8 months ago
That said, no, adding yet another layer through Cloudflare isn't necessary unless you're swapping out edge functions with cloudflare workers
Lucas G
8 months ago
Supabase has its own rate limiting features for its API endpoints
Andreas Møller
8 months ago
If you want to add ddos protection that cloudflare is a great choice. For smaller applications it is not worth it.

Suppose it depends on how many enemies you have
😂1
Lucas G
8 months ago
Doesn't Supabase have it's own Cloudflare layer to deal with DDoS?
I think that was on their site
Lucas G
8 months ago
"In addition to protection at the CDN level via Cloudflare, we employ fail2ban to prevent brute force logins. Users can customize rate limits for critical API routes and set spend caps to prevent surprise bills."
Andreas Møller
8 months ago
ok nice
@Lucas G
How come you're using edge functions instead of the main REST/SDK?
ssssadsadasd
8 months ago
my app will be read-heavy, and the edge functions give you the possibility to insert a lot of business logic (stuff like: create a post + add the number of posts for the profile + create tags). this business logic becomes difficult to manage only with rpc functions and triggers.
so right now I have built only rls for read, while I do the create/update/delete mostly with edge functions (where I also have the validation logic as an rls)
@Lucas G
Edge functions shouldn't be used for most CRUD operations imo, it's an unnecessary layer to go through
ssssadsadasd
8 months ago
this is a very interesting comment. could you shortly explain why you think that? thanks
Lucas G
8 months ago
Not sure I understand this line: "while I do the create/update/delete mostly with edge functions (where I also have the validation logic as an rls)"
@Lucas G
Not sure I understand this line: "while I do the create/update/delete mostly with edge functions (where I also have the validation logic as an rls)"
ssssadsadasd
8 months ago
what I mean is that I have some sort of rls logic in the edge function. sth like if this user is not part of the group then return an error and do no complete edge function
Lucas G
8 months ago
Do you have basic RLS on the tables themselves though
For all ops
Because otherwise, it may be possible to just bypass the edge function and do things to the db directly
Lucas G
8 months ago
Saw someone else missed this and users could basically delete entire tables if they wanted to
ssssadsadasd
8 months ago
I only have rls for read, which means the user can only create/update/delete through the edge functions.
the logic in the edge function is based on authentication token. so the user cannot do anything other than the logic for that authentication token allows him to (obviously in case the validation is correct, which would also be the case for rls)
@ssssadsadasd
this is a very interesting comment. could you shortly explain why you think that? thanks
Lucas G
8 months ago
Supabase was mainly designed to be accessed via its 'standard' methods; the auth layer/helper is built into it, performance is better, and there are no 'limits' like with edge functions.
I haven't used edge functions myself but I know some that have and they say that edge functions don't seem to be super reliable. Sometimes they're slow or simply fail.

I don't hate edge functions or anything though, they have their place
Lucas G
8 months ago
They're just another tool. If you find it easier to implement all your logic that way and you're not running into other issues then probably no need to worry about it
👍1
@ssssadsadasd
I only have rls for read, which means the user can only create/update/delete through the edge functions.
the logic in the edge function is based on authentication token. so the user cannot do anything other than the logic for that authentication token allows him to (obviously in case the validation is correct, which would also be the case for rls)
MartinF
8 months ago
If you only have rls on read then anyone can call the api directly and delete records for without touching your edge function. This would be a simple call with public keys. Unless i've misunderstood your setup. I use Edge Functions too, have found them to be good, but you still need full rls setup.
Andreas Møller
8 months ago
If you enable RLS for a table then all data in that table becomes private by default so no-one can read it
RLS policies grant access
If RLS is not enabled then all the data is public
MartinF
8 months ago
Of course. So simple. I sometimes forget they are permissive and not restrictive, or the other way around. 🤣
Andreas Møller
8 months ago
👍
As long as they are turned on.! So don't forget that.
👍1
ssssadsadasd
8 months ago
@MartinF if I have only this RLS could anyone call the api and create/update/delete?
ssssadsadasd
8 months ago
@MartinF as @Andreas Møller points out I obviously have the rls enabled
@ssssadsadasd
@MartinF if I have only this RLS could anyone call the api and create/update/delete?
Jay Campbell
8 months ago
This RLS is only for select and you don’t specify who should be able to access it (anon or authenticated), so everyone is able to read any of the records you have on this mute table.
@Jay Campbell
This RLS is only for select and you don’t specify who should be able to access it (anon or authenticated), so everyone is able to read any of the records you have on this mute table.
ssssadsadasd
8 months ago
@Jay Campbell yes I know. my question was instead on create/update/delete.
Lucas G
8 months ago
No, they can’t. Only way is if there’s issues in the edge function checks
👍1
Lucas G
8 months ago
You can link those if you want someone to try to do some pen testing 😂
@Lucas G
No, they can’t. Only way is if there’s issues in the edge function checks
ssssadsadasd
8 months ago
thought I was gonna be another bad example of vibe coding haha
@Lucas G
Supabase was mainly designed to be accessed via its 'standard' methods; the auth layer/helper is built into it, performance is better, and there are no 'limits' like with edge functions.
I haven't used edge functions myself but I know some that have and they say that edge functions don't seem to be super reliable. Sometimes they're slow or simply fail.

I don't hate edge functions or anything though, they have their place
Jay Campbell
8 months ago
Them being slow is correct. I just did one to send OTPs and I’m averaging ~800ms. 😔
@Lucas G
You can link those if you want someone to try to do some pen testing 😂
ssssadsadasd
8 months ago
you mean the edge functions? I am still finishing some of them and I was planning to get some human eyes on them in future though...
@Jay Campbell
Them being slow is correct. I just did one to send OTPs and I’m averaging ~800ms. 😔
Lucas G
8 months ago
This is a bit of a shame. I get it’s tough for them to try to do everything but these are the type of comments that made me never touch them lol
Lucas G
8 months ago
they’re still useful though
Andreas Møller
8 months ago
is 800ms bad for sending OTP?
If the endpoint has to wait for a resonse from an SMTP server it might not have anything to do with Supabase
@Andreas Møller
is 800ms bad for sending OTP?
Lucas G
8 months ago
No it isn’t just about the speed. I saw a lot of “they just failed to run” comments as well which was more concerning.
I think that’s been mostly addressed though (I hope)
Jay Campbell
8 months ago
It might not be, but I’m sure if I did it with Cloudflare Workers it would be better. I’m pretty sure Supabase Edge Functions are pretty slow and unreliable in general, at least based on the amount of Reddit comments. 🤣
Lucas G
8 months ago
lol
I assume they’ve gotten better though since launch
Andreas Møller
8 months ago
I havent used them enough to coment honestly
@ssssadsadasd
@MartinF as @Andreas Møller points out I obviously have the rls enabled
MartinF
8 months ago
You're all good, i just had a low-caffeine induced brain fart. Andreas straightened me out.
MartinF
8 months ago
I'm using edge functions to manage session tokens so i can use supabase-js client side and http-only cookies. Not had any issues with reliability and definitely wouldn't consider it slow, but then i'm from a Bubble background so i find everything blazing fast.
👍1

Do you actually need to add cloudflare to protect your supabase-nordcraft project?

ssssadsadasd

Lucas G

Lucas G

Lucas G

Andreas Møller

Lucas G

Lucas G

Andreas Møller

ssssadsadasd

ssssadsadasd

Lucas G

ssssadsadasd

Lucas G

Lucas G

ssssadsadasd

Lucas G

Lucas G

MartinF

Andreas Møller

MartinF

Andreas Møller

ssssadsadasd

ssssadsadasd

Jay Campbell

ssssadsadasd

Lucas G

Lucas G

ssssadsadasd

Jay Campbell

ssssadsadasd

Lucas G

Lucas G

Andreas Møller

Lucas G

Jay Campbell

Lucas G

Andreas Møller

MartinF

MartinF