Shelf combines inventory records, labels/QR workflows, and team collaboration. Security hardening should focus on workspace RBAC, API keys, and secure file/media handling. Given that Shelf relies on Supabase for authentication and database services, security considerations span both the application and the underlying infrastructure.
¶ 1) Harden User and Workspace Permissions
- Restrict admin rights and review role assignments regularly
- Implement principle of least privilege for all users
- Disable self-signup in private deployments using configuration
- Separate teams/workspaces when handling sensitive asset data
- Remove dormant accounts and stale invite links promptly
- Configure workspace isolation to prevent cross-workspace data access
- Enforce strong password policies
- Implement multi-factor authentication (MFA) where possible
- Regularly audit user permissions and access levels
- Establish clear offboarding procedures for departing users
- Use Single Sign-On (SSO) integration with Google/Microsoft for centralized identity management
¶ 2) Secure API and Integration Credentials
- Store API secrets in environment-level secret managers (HashiCorp Vault, AWS Secrets Manager, etc.)
- Never hardcode credentials in configuration files or version control
- Rotate integration tokens and webhook secrets on a regular schedule (monthly recommended)
- Use unique secrets for different environments (dev, staging, prod)
- Restrict CORS and callback endpoints to approved domains only
- Add rate limits for auth, API, and label-generation endpoints
- Implement IP whitelisting for administrative endpoints
- Monitor API usage patterns for unusual activity
- Use short-lived tokens where possible
¶ 3) Protect Data and Runtime
- Enforce HTTPS with secure cookie settings (Secure, HttpOnly, SameSite flags)
- Use a reverse proxy with proper security headers
- Keep database/storage services private and restrict network access
- Implement firewall rules to limit access to necessary ports only
- Use VPN or private networks for administrative access
- Encrypt backup sets and verify restore procedures regularly
- Implement end-to-end encryption for sensitive asset data
- Use encrypted connections (TLS) for all database communications
- Apply appropriate access controls to media files and uploads
- Regularly patch Shelf application and dependencies
- Keep the host OS and container runtime updated
- Use minimal base images for containers
- Run containers with non-root users when possible
- Implement resource limits to prevent DoS attacks
- Regularly scan images for vulnerabilities
Since Shelf relies on Supabase for authentication and database services:
- Configure Row Level Security (RLS) policies in Supabase
- Limit database access to only necessary tables and functions
- Use service role keys sparingly and with minimal permissions
- Regularly audit database access logs
- Implement proper authentication guards for all database operations
- Configure secure OAuth providers (Google/Microsoft) properly
- Implement proper session management
- Regularly rotate Supabase API keys
- Monitor authentication logs for suspicious activity
- Configure proper password policies in Supabase Auth
- Validate and sanitize all user inputs
- Implement protection against XSS, CSRF, and injection attacks
- Use parameterized queries to prevent SQL injection
- Validate file uploads and scan for malicious content
- Implement proper output encoding
¶ Audit and Monitoring
- Enable logging for security-relevant events
- Monitor user access patterns and unusual activities
- Log all asset check-in/check-out operations
- Track configuration changes and permission modifications
- Set up alerts for security incidents
¶ 6) Compliance and Best Practices
- Ensure compliance with relevant regulations (GDPR, CCPA, etc.)
- Implement data retention and deletion policies
- Document security procedures and controls
- Conduct regular security assessments
- Maintain incident response procedures
- Implement intrusion detection systems
- Monitor for unauthorized access attempts
- Track changes to sensitive configurations
- Set up security dashboards and alerting
- Regular penetration testing
- Shelf docs: https://docs.shelf.nu/
- Shelf source repository: https://github.com/Shelf-nu/shelf.nu
- Shelf security policy: https://github.com/Shelf-nu/shelf.nu/security/policy
- Supabase security documentation: https://supabase.com/docs/guides/platform/security
Any questions?
Feel free to contact us. Find all contact information on our contact page.