Skip to main content
Supabase Security Guide
Q&ASupabase

How secure are Supabase Edge Functions?

Supabase Edge Functions run on Deno Deploy and are isolated from your database by default. They can access the database using the service_role key, which means any vulnerability in an edge function could lead to unrestricted database access. Edge functions should validate and sanitize all user input, implement proper authentication checks, and avoid exposing sensitive environment variables in responses. By default, edge functions require a valid JWT in the Authorization header unless verify_jwt is set to false. UNPWNED tests your edge function endpoints for common vulnerabilities including missing authentication, input validation issues, and information disclosure.

Check your Supabase app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

What is the difference between the Supabase service_role key and the anon key?How can I test the security of my Supabase project?

More Supabase Security Questions

What is Row Level Security (RLS) in Supabase and why does it matter?Is Supabase secure by default?How do I check if RLS is enabled on my Supabase tables?Can Supabase data be accessed without authentication?What is the difference between the Supabase service_role key and the anon key?How do I secure Supabase Storage buckets?