Skip to main content
Supabase provides robust network security features to control who can connect to your database and how connections are secured. Configure IP restrictions to whitelist trusted networks and enforce SSL to ensure all connections are encrypted.

Network Security Overview

Protect your database with multiple layers of network security:

IP Restrictions

Whitelist specific IP addresses or CIDR ranges

SSL Enforcement

Require encrypted connections to PostgreSQL

API Protection

JWT-based authentication for all HTTP APIs

DDoS Protection

Built-in protection against abuse

IP Restrictions (Network Restrictions)

Network restrictions allow you to specify which IP addresses can connect to your PostgreSQL database and connection pooler.

How It Works

Restrictions are enforced before traffic reaches your database:
  1. Connection attempt from IP address
  2. IP checked against allowed list
  3. If not allowed: Connection blocked
  4. If allowed: Authentication required (must still have valid credentials)
Network restrictions apply to direct database connections and pooler connections, not HTTP APIs (PostgREST, Storage, Auth).

Enable via Dashboard

1

Navigate to settings

Go to DatabaseSettings in your project dashboard
2

Find Network Restrictions

Scroll to the Network Restrictions section at the bottom
If you don’t see this section, update your PostgreSQL version in SettingsInfrastructure.
3

Add allowed CIDRs

Click Add restriction and enter:
  • IPv4 CIDR: e.g., 192.168.1.0/24
  • IPv6 CIDR: e.g., 2001:db8::/32
Common examples:
  • Single IP: 203.0.113.5/32
  • Subnet: 203.0.113.0/24 (256 addresses)
  • All IPv4: 0.0.0.0/0 (no restrictions)
  • All IPv6: ::/0 (no restrictions)
4

Save changes

Click Apply to activate restrictions

Enable via CLI

# Install Supabase CLI 1.22.0+
supabase --version

# Login
supabase login

# Check current restrictions
supabase network-restrictions \
  --project-ref <your-ref> \
  get --experimental

# Add restrictions
supabase network-restrictions \
  --project-ref <your-ref> \
  update \
  --db-allow-cidr 203.0.113.5/32 \
  --db-allow-cidr 2001:db8::/64 \
  --experimental

Enable via Management API

export SUPABASE_ACCESS_TOKEN="your-token"
export PROJECT_REF="your-project-ref"

# Get current restrictions
curl -X GET \
  "https://api.supabase.com/v1/projects/$PROJECT_REF/network-restrictions" \
  -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN"

# Update restrictions  
curl -X POST \
  "https://api.supabase.com/v1/projects/$PROJECT_REF/network-restrictions/apply" \
  -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "db_allowed_cidrs": [
      "203.0.113.0/24",
      "2001:db8::/64"
    ]
  }'

IPv4 and IPv6 Considerations

If your database resolves to an IPv6 address, you must add both IPv4 and IPv6 CIDRs to the allow list.
Check your database IP version: 
nslookup db.your-project.supabase.co
If you see both IPv4 and IPv6 addresses, add both: 
supabase network-restrictions \
  --project-ref <ref> \
  update \
  --db-allow-cidr 203.0.113.0/24 \      # IPv4
  --db-allow-cidr 2001:db8::/64 \       # IPv6
  --experimental
Exceptions (only IPv4 needed):
  • You have the IPv4 add-on enabled
  • You have an IPv6 migration extension

Common CIDR Examples

Use CaseIPv4 CIDRIPv6 CIDR
Single IP203.0.113.5/322001:db8::1/128
Small office203.0.113.0/242001:db8::/64
Corporate network10.0.0.0/16fd00::/16
Cloud provider region52.0.0.0/82600::/16
Allow all (remove restrictions)0.0.0.0/0::/0

Find Your IP Address

To whitelist your current IP: 
# Your public IPv4
curl -4 https://api.ipify.org

# Your public IPv6  
curl -6 https://api6.ipify.org
Then add as /32 (IPv4) or /128 (IPv6): 
supabase network-restrictions \
  --project-ref <ref> \
  update \
  --db-allow-cidr $(curl -4 https://api.ipify.org)/32 \
  --experimental

Remove Restrictions

Allow connections from any IP: 
supabase network-restrictions \
  --project-ref <ref> \
  update \
  --db-allow-cidr 0.0.0.0/0 \
  --db-allow-cidr ::/0 \
  --experimental

SSL Enforcement

Enforce encrypted connections to your PostgreSQL database.

Why Enable SSL Enforcement

By default, Supabase allows both SSL and non-SSL connections for compatibility. Enforce SSL to:
  • Prevent eavesdropping: Protect credentials and data in transit
  • Prevent tampering: Ensure data integrity
  • Meet compliance: Required for SOC 2, HIPAA, etc.
  • Defense in depth: Additional security layer
HTTP APIs (PostgREST, Storage, Auth) always enforce SSL. This setting only applies to PostgreSQL connections.

Enable via Dashboard

1

Navigate to settings

Go to DatabaseSettings
2

Find SSL Configuration

Scroll to SSL Configuration section
3

Enable enforcement

Toggle Enforce SSL on incoming connections
4

Confirm reboot

Click Confirm (triggers brief database restart)
Enabling SSL enforcement triggers a database reboot:
  • Small projects: Few seconds
  • Large projects: A few minutes
  • Plan maintenance window accordingly

Enable via CLI

# Install CLI 1.37.0+
supabase --version

# Check current status
supabase ssl-enforcement \
  --project-ref <ref> \
  get --experimental

# Enable SSL enforcement
supabase ssl-enforcement \
  --project-ref <ref> \
  update --enable-db-ssl-enforcement \
  --experimental

# Disable SSL enforcement
supabase ssl-enforcement \
  --project-ref <ref> \
  update --disable-db-ssl-enforcement \
  --experimental

Enable via Management API

export SUPABASE_ACCESS_TOKEN="your-token"
export PROJECT_REF="your-project-ref"

# Check status
curl -X GET \
  "https://api.supabase.com/v1/projects/$PROJECT_REF/ssl-enforcement" \
  -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN"

# Enable
curl -X PUT \
  "https://api.supabase.com/v1/projects/$PROJECT_REF/ssl-enforcement" \
  -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "requestedConfig": {
      "database": true
    }
  }'

PostgreSQL SSL Modes

PostgreSQL clients support different SSL modes:
ModeEavesdropping ProtectionMITM ProtectionNotes
disableNoNoNever use in production
allowMaybeNoFalls back to unencrypted
preferMaybeNoDefault, tries SSL first
requireYesNoRequires SSL, doesn’t verify cert
verify-caYesDependsVerifies certificate authority
verify-fullYesYesRecommended for production

Using verify-full Mode

For maximum security, use verify-full:
1

Download CA certificate

  1. Go to DatabaseSettings
  2. Scroll to SSL Configuration
  3. Download prod-ca-2021.crt
2

Add to trusted CAs

# Linux/macOS
cat prod-ca-2021.crt >> ~/.postgresql/root.crt

# Windows
# Place in: %APPDATA%\postgresql\root.crt
3

Connect with verify-full

psql "postgresql://postgres:[password]@db.your-project.supabase.co:6543/postgres?sslmode=verify-full"
With connection libraries: 
const { Pool } = require('pg')
const fs = require('fs')

const pool = new Pool({
  host: 'db.your-project.supabase.co',
  port: 6543,
  database: 'postgres',
  user: 'postgres',
  password: 'your-password',
  ssl: {
    rejectUnauthorized: true,
    ca: fs.readFileSync('./prod-ca-2021.crt').toString(),
  },
})

Limitations

Network Restrictions

Network restrictions currently only apply to:
  • Direct PostgreSQL connections
  • Connection pooler (Supavisor)
They do NOT apply to:
  • PostgREST (REST API)
  • Storage API
  • Auth API
  • Realtime
  • Supabase client libraries
Workarounds for HTTP APIs:
  • Use Row Level Security (RLS) policies
  • Implement application-level IP filtering
  • Use a CDN with IP restrictions (Cloudflare, etc.)
  • Deploy behind a VPN or private network

Edge Functions and Network Restrictions

Security Best Practices

1

Start restrictive

Begin with specific IPs, expand only as needed:
# Start: Only office IP
--db-allow-cidr 203.0.113.5/32

# Expand: Add cloud provider
--db-allow-cidr 52.0.0.0/16

# Avoid: Allowing everything
--db-allow-cidr 0.0.0.0/0  # Defeats the purpose!
2

Enable SSL enforcement

Always enforce SSL in production
3

Use verify-full for critical apps

Maximum security with certificate verification
4

Combine with RLS

Network restrictions + RLS = defense in depth
5

Document your CIDRs

Keep a record of what each CIDR represents:
# Office network: 203.0.113.0/24
# AWS us-east-1: 52.0.0.0/16  
# CI/CD runner: 198.51.100.5/32
6

Review regularly

Audit and remove unused IP ranges quarterly

Common Scenarios

Scenario 1: Development Team

# Office static IP
--db-allow-cidr 203.0.113.0/24

# VPN endpoint
--db-allow-cidr 198.51.100.1/32

# CI/CD runner
--db-allow-cidr 192.0.2.50/32

Scenario 2: Cloud Application

# Vercel serverless IPs (example)
--db-allow-cidr 76.76.21.0/24

# AWS Lambda (NAT Gateway)
--db-allow-cidr 52.1.2.3/32

# GitHub Actions runner
--db-allow-cidr 140.82.112.0/20

Scenario 3: Multi-Region App

# US region
--db-allow-cidr 52.0.0.0/16

# EU region  
--db-allow-cidr 18.0.0.0/16

# APAC region
--db-allow-cidr 13.0.0.0/16

Troubleshooting

Error: connection refused or timeoutSolution:
  • Verify your IP is in allow list
  • Check you added correct IP: curl https://api.ipify.org
  • Add both IPv4 and IPv6 if database uses IPv6
  • Ensure CIDR notation is correct (/32 for single IP)
Error: SSL connection has been closed unexpectedlySolution:
  • Update client to support SSL
  • Use sslmode=require or higher
  • Download and install CA certificate for verify-full
  • Check firewall allows SSL connections
Error: Edge Function times out connecting to databaseSolution:
  • Use Supabase client library (not direct postgres connection)
  • Or: Disable network restrictions
  • Or: Use PostgREST API from Edge Function
Error: Connection works sometimes, fails other timesCause: Database has IPv6, only IPv4 CIDR addedSolution:
# Add both IPv4 and IPv6
supabase network-restrictions update \
  --db-allow-cidr 203.0.113.0/24 \  # IPv4
  --db-allow-cidr 2001:db8::/64     # IPv6

Network Security Checklist

Before going to production:

Next Steps

Row Level Security

Implement database-level access control

Encryption

Understand data encryption in Supabase

Production Checklist

Complete pre-launch security review

Auth Security

Secure your authentication flows