Database Security Checklist: 18-Item Guide for Production

TL;DR

Database security is critical for any application storing user data. This checklist covers authentication, access control, encryption, query safety, backups, and monitoring. 5 critical items must be fixed before launch, 7 important items within the first week, and 6 recommended items when you can.

Quick Checklist (5 Critical Items)

Use strong, unique database passwordsGenerate random passwords with 20+ characters

Enable Row Level Security (Supabase/PostgreSQL)RLS must be enabled AND have policies on all tables

Use SSL/TLS for all connectionsVerify connection strings include sslmode=require

Use parameterized queriesNever concatenate user input into SQL

Enable automated backupsUse your provider's backup feature or implement daily backups

Authentication & Credentials 4

Use strong, unique database passwordsGenerate random passwords with 20+ characters. Never reuse passwords. How to secure database credentials

Store credentials in environment variablesNever hardcode database URLs or passwords in code. How to configure env variables

Use separate credentials per environmentDevelopment, staging, and production should have different database credentials. How to manage environment credentials

Rotate credentials periodicallyChange database passwords at least annually, or after team member departures. How to rotate credentials

Access Control 5

Enable Row Level Security (Supabase/PostgreSQL)RLS must be enabled AND have policies on all tables. RLS without policies blocks all access. How to set up Supabase RLS

Configure Firebase Security RulesFirestore and Realtime Database need explicit rules. Default rules allow no access. How to configure Firebase rules

Implement least privilege principleDatabase users should only have permissions they need. Avoid using admin accounts. How to implement least privilege

Test data isolation between usersLog in as User A and verify you cannot access User B's data by modifying IDs. How to test data isolation

Restrict network accessDatabase should only be accessible from your application servers, not the public internet. How to restrict network access

Connection Security 3

Use SSL/TLS for all connectionsVerify connection strings include sslmode=require or equivalent. How to enable database SSL

Use connection poolingPrevent connection exhaustion attacks with connection limits and pooling. How to set up connection pooling

Set connection timeoutsConfigure idle and query timeouts to prevent hanging connections. How to configure timeouts

Query Security 3

Use parameterized queriesNever concatenate user input into SQL. Use prepared statements or ORM methods. How to prevent SQL injection

Validate and sanitize inputsValidate data types and lengths before database operations. How to validate inputs

Limit query resultsAlways use LIMIT clauses to prevent returning entire tables. How to limit query results

Backup & Recovery 3

Enable automated backupsUse your provider's backup feature or implement daily automated backups. How to set up backups

Test backup restorationActually restore from a backup to verify it works. Untested backups are not backups. How to test restoration

Store backups securelyEncrypt backups and store in a different location than your primary database. How to secure backups

Database-Specific Considerations

For Supabase: Enable RLS on every table and write policies for each operation (SELECT, INSERT, UPDATE, DELETE). The service_role key bypasses RLS and should never be exposed to clients.

For Firebase: Default security rules block all access. You must write explicit rules. Test rules thoroughly using the Rules Simulator in Firebase Console before deploying.

For MongoDB: Enable authentication, use network restrictions, and validate documents before insertion to prevent NoSQL injection attacks.

What is the most important database security measure?

Access control is the most critical database security measure. This includes strong authentication, authorization rules (like Supabase RLS or Firebase Security Rules), and the principle of least privilege. Without proper access control, attackers with database access can read or modify any data.

Should I encrypt my database?

Yes, use encryption at rest and in transit. Most managed database providers (Supabase, PlanetScale, Neon) encrypt data at rest by default. Always use SSL/TLS for connections. For highly sensitive fields like SSNs or payment data, consider application-level encryption as an additional layer.

How often should I backup my database?

Frequency depends on your data change rate and acceptable data loss. Most production apps need at least daily backups. For frequently changing data, consider point-in-time recovery. Always test your backup restoration process. A backup you cannot restore from is worthless.