Supabase Security Retro: 2025

This post covers security changes made to the Supabase platform in 2025 and what to expect in 2026. Some changes may be breaking.

Postgres Row Level Security (RLS) is powerful but can be complex for developers new to the pattern. Most of the changes in 2025 focused on safer defaults and better tooling to make security more accessible.

We'll cover what shipped in 2025 and outline planned improvements for 2026.

New projects can disable the Data API entirely or change the default schema from public to a custom schema like api. This gives you control over what's exposed via the auto-generated REST and GraphQL APIs.

Existing projects can disable the Data API in project settings. Once disabled, you can continue to use the database like standard Postgres (similar to RDS), connecting directly or through the connection pooler.

Supabase Security Retro: 2025

Related reading

RLS sounds great until it isn't — PlanetScale

Supabase Storage: major performance, security, and reliability updates

Improved Security Controls and A New Home for Security

Supabase is now ISO 27001 certified

Introducing Supabase ETL

The Vibe Coder's Guide to Supabase Environments