Part 7 — Security and the load test

Part 7 of 7 — Self-hosting Supabase: a learning journey We have a working two-project cluster. Now two questions: is it actually secure, and what does it take to break it? The security layers Security here is defense in depth. Multiple layers, each one adding friction for an attacker. No single layer is sufficient on its own. ufw and fail2ban The outer layer. Only ports 22, 80, and 443 are open. fail2ban bans IP addresses after five failed SSH attempts. This stops automated scanners and brute-force attacks. Kong: key authentication and rate limiting Every request to the API must include a valid apikey header. Without it, Kong returns 401 before the request reaches any backend service. GoTrue, PostgREST, Realtime, Storage, none of them see unauthenticated traffic. Rate limiting: 30 requests per minute per consumer by default. This limits the damage from credential stuffing attempts and protects GoTrue from being used as a bulk signup platform. Kong is configured via a YAML file ( kong.y