Postgres SSL Enforcement
note
Postgres SSL Enforcement is currently in beta. Some projects need to upgrade to the latest version to use this feature.
Your Supabase project supports connecting to the Postgres DB without SSL enabled to maximize client compatibility. For increased security, you can prevent clients from connecting if they're not using SSL.
SSL enforcement only applies to connections to both Postgres and PgBouncer ("Connection Pooler"); all HTTP APIs offered by Supabase (e.g., PostgREST, Storage, Auth) automatically enforce SSL on all incoming connections.
Manage SSL enforcement via the Dashboard#
SSL enforcement can be configured via the "Enforce SSL on incoming connections" setting under the SSL Configuration section in Database Settings page of the dashboard.
Manage SSL enforcement via the CLI#
To get started:
- Install the Supabase CLI 1.37.0+.
- Log in to your Supabase account using the CLI.
- Ensure that you have Owner or Admin permissions for the project that you are enabling SSL enforcement.
Check enforcement status#
You can use the get
subcommand of the CLI to check whether SSL is currently being enforced:
_10> supabase ssl-enforcement --project-ref {ref} get --experimental_10SSL is being enforced.
Or similarly, if SSL is not being enforced, you will see:
_10> supabase ssl-enforcement --project-ref {ref} get --experimental_10SSL is *NOT* being enforced.
Update enforcement#
The update
subcommand is used to change the SSL enforcement status for your project:
_10> supabase ssl-enforcement --project-ref {ref} update --enable-db-ssl-enforcement --experimental_10SSL is now being enforced.
Similarly, to disable SSL enforcement:
_10> supabase ssl-enforcement --project-ref {ref} update --disable-db-ssl-enforcement --experimental_10SSL is *NOT* being enforced.