v.1.0.23
Sign up
Open app
Latest Update
Fri, Jun 6, 12:25 PM
See updates
Updates (7 Days)
38
See updates
Uptime
nu%
See details
Chat on Discord
Documentation
Pricing
Blog
Forum
Academy
Roadmap Terms & Conditions Privacy Policy Affiliate hello@nordcraft.com
All topics

Do you actually need to add cloudflare to protect your supabase-nordcraft project?

  • ssssadsadasd-1379459570715459605

    ssssadsadasd

    3 days ago

    So, I was trying to implement cloudflare to protect my supabase database from attacks. I am especially concerned about attack to read events as most of create/edit/delete are done via edge functions and there I can implement sth like [this](https://www.youtube.com/watch?v=c_vVyLTz76g&ab_channel=JayCampbell).
    however, the thing is that if the supabase url and apikey are basically public, then anyone can ddos the direct database url from outside the site (even if I have RLS, they can call the same data over and over again).

    so, does it make any sense having cloudflare? thanks
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
    1
  • lucasg-1379500021438742769

    Lucas G

    3 days ago

    There are different layers to this
  • How come you're using edge functions instead of the main REST/SDK?
  • Edge functions shouldn't be used for most CRUD operations imo, it's an unnecessary layer to go through
  • lucasg-1379500953564217526

    Lucas G

    3 days ago

    That said, no, adding yet another layer through Cloudflare isn't necessary unless you're swapping out edge functions with cloudflare workers
  • lucasg-1379501370024923167

    Lucas G

    3 days ago

    Supabase has its own rate limiting features for its API endpoints
  • andreasmoller-1379533159900647504

    Andreas Møller

    3 days ago

    If you want to add ddos protection that cloudflare is a great choice. For smaller applications it is not worth it.

    Suppose it depends on how many enemies you have
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
    😂1
  • lucasg-1379533614357807307

    Lucas G

    3 days ago

    Doesn't Supabase have it's own Cloudflare layer to deal with DDoS?
  • I think that was on their site
  • lucasg-1379534397191094323

    Lucas G

    3 days ago

    "In addition to protection at the CDN level via Cloudflare, we employ fail2ban to prevent brute force logins. Users can customize rate limits for critical API routes and set spend caps to prevent surprise bills."
  • andreasmoller-1379534492959641620

    Andreas Møller

    3 days ago

    ok nice
  • 128651941143117824-@Lucas G
    How come you're using edge functions instead of the main REST/SDK?
    ssssadsadasd-1379541503780851852

    ssssadsadasd

    3 days ago

    my app will be read-heavy, and the edge functions give you the possibility to insert a lot of business logic (stuff like: create a post + add the number of posts for the profile + create tags). this business logic becomes difficult to manage only with rpc functions and triggers.
    so right now I have built only rls for read, while I do the create/update/delete mostly with edge functions (where I also have the validation logic as an rls)
  • 128651941143117824-@Lucas G
    Edge functions shouldn't be used for most CRUD operations imo, it's an unnecessary layer to go through
    ssssadsadasd-1379542180640850024

    ssssadsadasd

    3 days ago

    this is a very interesting comment. could you shortly explain why you think that? thanks
  • lucasg-1379542387717836883

    Lucas G

    3 days ago

    Not sure I understand this line: "while I do the create/update/delete mostly with edge functions (where I also have the validation logic as an rls)"
  • 128651941143117824-@Lucas G
    Not sure I understand this line: "while I do the create/update/delete mostly with edge functions (where I also have the validation logic as an rls)"
    ssssadsadasd-1379542621055221932

    ssssadsadasd

    3 days ago

    what I mean is that I have some sort of rls logic in the edge function. sth like if this user is not part of the group then return an error and do no complete edge function
  • lucasg-1379542835388354570

    Lucas G

    3 days ago

    Do you have basic RLS on the tables themselves though
  • For all ops
  • Because otherwise, it may be possible to just bypass the edge function and do things to the db directly
  • lucasg-1379543469369987162

    Lucas G

    3 days ago

    Saw someone else missed this and users could basically delete entire tables if they wanted to
  • ssssadsadasd-1379544059554562088

    ssssadsadasd

    3 days ago

    I only have rls for read, which means the user can only create/update/delete through the edge functions.
    the logic in the edge function is based on authentication token. so the user cannot do anything other than the logic for that authentication token allows him to (obviously in case the validation is correct, which would also be the case for rls)
  • 814597015002415184-@ssssadsadasd
    this is a very interesting comment. could you shortly explain why you think that? thanks
    lucasg-1379548636941258863

    Lucas G

    3 days ago

    Supabase was mainly designed to be accessed via its 'standard' methods; the auth layer/helper is built into it, performance is better, and there are no 'limits' like with edge functions.
    I haven't used edge functions myself but I know some that have and they say that edge functions don't seem to be super reliable. Sometimes they're slow or simply fail.

    I don't hate edge functions or anything though, they have their place
  • lucasg-1379549197312725084

    Lucas G

    3 days ago

    They're just another tool. If you find it easier to implement all your logic that way and you're not running into other issues then probably no need to worry about it
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
  • 814597015002415184-@ssssadsadasd
    I only have rls for read, which means the user can only create/update/delete through the edge functions.
    the logic in the edge function is based on authentication token. so the user cannot do anything other than the logic for that authentication token allows him to (obviously in case the validation is correct, which would also be the case for rls)
    martinf4630-1380122230121435186

    MartinF

    2 days ago

    If you only have rls on read then anyone can call the api directly and delete records for without touching your edge function. This would be a simple call with public keys. Unless i've misunderstood your setup. I use Edge Functions too, have found them to be good, but you still need full rls setup.
  • andreasmoller-1380124255013830680

    Andreas Møller

    2 days ago

    If you enable RLS for a table then all data in that table becomes private by default so no-one can read it
  • RLS policies grant access
  • If RLS is not enabled then all the data is public
  • martinf4630-1380126248751337533

    MartinF

    2 days ago

    Of course. So simple. I sometimes forget they are permissive and not restrictive, or the other way around. 🤣
  • andreasmoller-1380126736032862228

    Andreas Møller

    2 days ago

    👍
  • As long as they are turned on.! So don't forget that.
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
  • ssssadsadasd-1380158359889776660

    ssssadsadasd

    2 days ago

    @MartinF if I have only this RLS could anyone call the api and create/update/delete?
    1380158359474274405-image.png
  • ssssadsadasd-1380161782718398464

    ssssadsadasd

    2 days ago

    @MartinF as @Andreas Møller points out I obviously have the rls enabled
    1380161782437515284-image.png
  • 814597015002415184-@ssssadsadasd
    @MartinF if I have only this RLS could anyone call the api and create/update/delete?
    jaycmpb-1380182866708660344

    Jay Campbell

    1 day ago

    This RLS is only for select and you don’t specify who should be able to access it (anon or authenticated), so everyone is able to read any of the records you have on this mute table.
  • 1323394794004811887-@Jay Campbell
    This RLS is only for select and you don’t specify who should be able to access it (anon or authenticated), so everyone is able to read any of the records you have on this mute table.
    ssssadsadasd-1380183044270461009

    ssssadsadasd

    1 day ago

    @Jay Campbell yes I know. my question was instead on create/update/delete.
  • lucasg-1380183468977160192

    Lucas G

    1 day ago

    No, they can’t. Only way is if there’s issues in the edge function checks
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
  • lucasg-1380183747286274089

    Lucas G

    1 day ago

    You can link those if you want someone to try to do some pen testing 😂
  • 128651941143117824-@Lucas G
    No, they can’t. Only way is if there’s issues in the edge function checks
    ssssadsadasd-1380184127810310206

    ssssadsadasd

    1 day ago

    thought I was gonna be another bad example of vibe coding haha
  • 128651941143117824-@Lucas G
    Supabase was mainly designed to be accessed via its 'standard' methods; the auth layer/helper is built into it, performance is better, and there are no 'limits' like with edge functions.
    I haven't used edge functions myself but I know some that have and they say that edge functions don't seem to be super reliable. Sometimes they're slow or simply fail.

    I don't hate edge functions or anything though, they have their place
    jaycmpb-1380184251709919393

    Jay Campbell

    1 day ago

    Them being slow is correct. I just did one to send OTPs and I’m averaging ~800ms. 😔
  • 128651941143117824-@Lucas G
    You can link those if you want someone to try to do some pen testing 😂
    ssssadsadasd-1380184597240741908

    ssssadsadasd

    1 day ago

    you mean the edge functions? I am still finishing some of them and I was planning to get some human eyes on them in future though...
  • 1323394794004811887-@Jay Campbell
    Them being slow is correct. I just did one to send OTPs and I’m averaging ~800ms. 😔
    lucasg-1380185240760352780

    Lucas G

    1 day ago

    This is a bit of a shame. I get it’s tough for them to try to do everything but these are the type of comments that made me never touch them lol
  • lucasg-1380185686430191636

    Lucas G

    1 day ago

    they’re still useful though
  • andreasmoller-1380185833474101320

    Andreas Møller

    1 day ago

    is 800ms bad for sending OTP?
  • If the endpoint has to wait for a resonse from an SMTP server it might not have anything to do with Supabase
  • 282143925291057163-@Andreas Møller
    is 800ms bad for sending OTP?
    lucasg-1380186250010427463

    Lucas G

    1 day ago

    No it isn’t just about the speed. I saw a lot of “they just failed to run” comments as well which was more concerning.
    I think that’s been mostly addressed though (I hope)
  • jaycmpb-1380186472229109790

    Jay Campbell

    1 day ago

    It might not be, but I’m sure if I did it with Cloudflare Workers it would be better. I’m pretty sure Supabase Edge Functions are pretty slow and unreliable in general, at least based on the amount of Reddit comments. 🤣
  • lucasg-1380186585068470375

    Lucas G

    1 day ago

    lol
  • I assume they’ve gotten better though since launch
  • andreasmoller-1380186831345291376

    Andreas Møller

    1 day ago

    I havent used them enough to coment honestly
  • 814597015002415184-@ssssadsadasd
    @MartinF as @Andreas Møller points out I obviously have the rls enabled
    martinf4630-1380187978906730682

    MartinF

    1 day ago

    You're all good, i just had a low-caffeine induced brain fart. Andreas straightened me out.
  • martinf4630-1380188564389630182

    MartinF

    1 day ago

    I'm using edge functions to manage session tokens so i can use supabase-js client side and http-only cookies. Not had any issues with reliability and definitely wouldn't consider it slow, but then i'm from a Bubble background so i find everything blazing fast.
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
    👍1
Leave a comment
toddle Co-Founders

Chat with Nordcraft

Chat with us about Nordcraft

 toddle Co-Founders

Call our CEO

Plan a video call with Andreas
Hello Nordcraft!

Write Nordcraft

Send us an email

Academy Blog Pricing Documentation hello@nordcraft.com
Roadmap Terms & Conditions Privacy Policy Affiliate
© Nordcraft 2025. All rights reserved.