[{"data":1,"prerenderedAt":230},["ShallowReactive",2],{"blog-checklists/database-security-checklist":3},{"id":4,"title":5,"body":6,"category":205,"date":206,"dateModified":206,"description":207,"draft":208,"extension":209,"faq":210,"featured":208,"headerVariant":215,"image":216,"keywords":216,"meta":217,"navigation":218,"ogDescription":219,"ogTitle":216,"path":220,"readTime":216,"schemaOrg":221,"schemaType":222,"seo":223,"sitemap":224,"stem":225,"tags":226,"twitterCard":228,"__hash__":229},"blog/blog/checklists/database-security-checklist.md","Database Security Checklist: 18-Item Guide for Production",{"type":7,"value":8,"toc":199},"minimark",[9,16,19,22,47,66,89,104,118,132,137,140,143,146,168,187],[10,11,12],"tldr",{},[13,14,15],"p",{},"Database security is critical for any application storing user data. This checklist covers authentication, access control, encryption, query safety, backups, and monitoring. 5 critical items must be fixed before launch, 7 important items within the first week, and 6 recommended items when you can.",[13,17,18],{},"Your database is where all the stuff you actually care about lives -- user data, payment info, the works. A misconfigured database is the fastest path to a breach that ends up on Hacker News. Whether you are on Postgres, MongoDB, Supabase, or Firebase, these items apply.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Generate random passwords with 20+ characters","Use strong, unique database passwords",[27,32],{"description":33,"label":34},"RLS must be enabled AND have policies on all tables","Enable Row Level Security (Supabase/PostgreSQL)",[27,36],{"description":37,"label":38},"Verify connection strings include sslmode=require","Use SSL/TLS for all connections",[27,40],{"description":41,"label":42},"Never concatenate user input into SQL","Use parameterized queries",[27,44],{"description":45,"label":46},"Use your provider's backup feature or implement daily backups","Enable automated backups",[23,48,51,54,58,62],{"title":49,"count":50},"Authentication & Credentials","4",[27,52],{"description":53,"label":30},"Generate random passwords with 20+ characters. Never reuse passwords. How to secure database credentials",[27,55],{"description":56,"label":57},"Never hardcode database URLs or passwords in code. How to configure env variables","Store credentials in environment variables",[27,59],{"description":60,"label":61},"Development, staging, and production should have different database credentials. How to manage environment credentials","Use separate credentials per environment",[27,63],{"description":64,"label":65},"Change database passwords at least annually, or after team member departures. How to rotate credentials","Rotate credentials periodically",[23,67,70,73,77,81,85],{"title":68,"count":69},"Access Control","5",[27,71],{"description":72,"label":34},"RLS must be enabled AND have policies on all tables. RLS without policies blocks all access. How to set up Supabase RLS",[27,74],{"description":75,"label":76},"Firestore and Realtime Database need explicit rules. Default rules allow no access. How to configure Firebase rules","Configure Firebase Security Rules",[27,78],{"description":79,"label":80},"Database users should only have permissions they need. Avoid using admin accounts. How to implement least privilege","Implement least privilege principle",[27,82],{"description":83,"label":84},"Log in as User A and verify you cannot access User B's data by modifying IDs. How to test data isolation","Test data isolation between users",[27,86],{"description":87,"label":88},"Database should only be accessible from your application servers, not the public internet. How to restrict network access","Restrict network access",[23,90,93,96,100],{"title":91,"count":92},"Connection Security","3",[27,94],{"description":95,"label":38},"Verify connection strings include sslmode=require or equivalent. How to enable database SSL",[27,97],{"description":98,"label":99},"Prevent connection exhaustion attacks with connection limits and pooling. How to set up connection pooling","Use connection pooling",[27,101],{"description":102,"label":103},"Configure idle and query timeouts to prevent hanging connections. How to configure timeouts","Set connection timeouts",[23,105,107,110,114],{"title":106,"count":92},"Query Security",[27,108],{"description":109,"label":42},"Never concatenate user input into SQL. Use prepared statements or ORM methods. How to prevent SQL injection",[27,111],{"description":112,"label":113},"Validate data types and lengths before database operations. How to validate inputs","Validate and sanitize inputs",[27,115],{"description":116,"label":117},"Always use LIMIT clauses to prevent returning entire tables. How to limit query results","Limit query results",[23,119,121,124,128],{"title":120,"count":92},"Backup & Recovery",[27,122],{"description":123,"label":46},"Use your provider's backup feature or implement daily automated backups. How to set up backups",[27,125],{"description":126,"label":127},"Actually restore from a backup to verify it works. Untested backups are not backups. How to test restoration","Test backup restoration",[27,129],{"description":130,"label":131},"Encrypt backups and store in a different location than your primary database. How to secure backups","Store backups securely",[133,134,136],"h2",{"id":135},"database-specific-considerations","Database-Specific Considerations",[13,138,139],{},"For Supabase: Enable RLS on every table and write policies for each operation (SELECT, INSERT, UPDATE, DELETE). The service_role key bypasses RLS and should never be exposed to clients.",[13,141,142],{},"For Firebase: Default security rules block all access. You must write explicit rules. Test rules thoroughly using the Rules Simulator in Firebase Console before deploying.",[13,144,145],{},"For MongoDB: Enable authentication, use network restrictions, and validate documents before insertion to prevent NoSQL injection attacks.",[147,148,149,156,162],"faq-section",{},[150,151,153],"faq-item",{"question":152},"What is the most important database security measure?",[13,154,155],{},"Access control is the most critical database security measure. This includes strong authentication, authorization rules (like Supabase RLS or Firebase Security Rules), and the principle of least privilege. Without proper access control, attackers with database access can read or modify any data.",[150,157,159],{"question":158},"Should I encrypt my database?",[13,160,161],{},"Yes, use encryption at rest and in transit. Most managed database providers (Supabase, PlanetScale, Neon) encrypt data at rest by default. Always use SSL/TLS for connections. For highly sensitive fields like SSNs or payment data, consider application-level encryption as an additional layer.",[150,163,165],{"question":164},"How often should I backup my database?",[13,166,167],{},"Frequency depends on your data change rate and acceptable data loss. Most production apps need at least daily backups. For frequently changing data, consider point-in-time recovery. Always test your backup restoration process. A backup you cannot restore from is worthless.",[169,170,171,177,182],"related-articles",{},[172,173],"related-card",{"description":174,"href":175,"title":176},"RLS and database security checklist","/blog/checklists/supabase-security-checklist","Supabase Security Checklist",[172,178],{"description":179,"href":180,"title":181},"Security rules and Firestore best practices","/blog/checklists/firebase-security-checklist","Firebase Security Checklist",[172,183],{"description":184,"href":185,"title":186},"Step-by-step RLS configuration guide","/blog/how-to/setup-supabase-rls","How to Set Up Supabase RLS",[188,189,192,196],"cta-box",{"href":190,"label":191},"/","Start Free Scan",[133,193,195],{"id":194},"scan-your-database-configuration","Scan Your Database Configuration",[13,197,198],{},"Our scanner checks for common database security issues including exposed credentials and missing access controls.",{"title":200,"searchDepth":201,"depth":201,"links":202},"",2,[203,204],{"id":135,"depth":201,"text":136},{"id":194,"depth":201,"text":195},"checklists","2026-01-27","Comprehensive database security checklist for production apps. Covers PostgreSQL, MySQL, MongoDB, Supabase, Firebase, and more.",false,"md",[211,213],{"question":152,"answer":212},"Access control is the most critical database security measure. This includes strong authentication, authorization rules (like Supabase RLS or Firebase Security Rules), and the principle of least privilege. Without proper access control, other security measures become ineffective.",{"question":158,"answer":214},"Yes, use encryption at rest and in transit. Most managed database providers (Supabase, PlanetScale, Neon) encrypt data at rest by default. Always use SSL/TLS for connections. For sensitive fields like SSNs or payment data, consider application-level encryption.","green",null,{},true,"Database security checklist. 18 items to secure your database before production.","/blog/checklists/database-security-checklist","[object Object]","HowTo",{"title":5,"description":207},{"loc":220},"blog/checklists/database-security-checklist",[227],"Security Checklist","summary_large_image","NhbUJ3fAEmCfqlmImd5B7R4t3x5IqlrS1So7egdhinQ",1775843931495]