Security
Comprehensive security implementation guide
Core Security Implementation
AnotherWrapper includes several security features out of the box. This guide explains the existing security measures and shows how to implement optional rate limiting:
- Database Security (RLS)
- API Route Protection
- Rate Limiting (not implemented but easy to add)
- AI Services Abuse Protection
- Email Security
Database Security with Supabase RLS
If you’ve followed the setup guides, Row Level Security (RLS) is already enabled and configured for all your tables, ensuring users can only access their own data.
RLS Guiding Principles
- User Ownership: Use
auth.uid()
to match the authenticated user with their data - Default Deny: Start with all access denied, then explicitly grant permissions
- Minimal Access: Give users access only to what they absolutely need
- Separate Policies: Create distinct policies for different operations (SELECT, INSERT, etc.)
Here’s an example of common RLS policies:
These policies ensure that users can only access, modify, or delete their own data, while administrators can manage all records through superuser access.
API Route Protection
All sensitive API routes in AnotherWrapper are automatically protected by authentication middleware:
Rate Limiting (Recommended)
Rate limiting is not implemented by default, but you can easily add it to protect your API routes from abuse. Here’s how:
- First, set up Upstash Redis:
- Add to your
.env
:
- Update the following files to implement rate limiting:
The middleware handles the rate limiting logic, while the blocked page provides a user-friendly interface when limits are exceeded. Users will be redirected to this page when they hit the rate limit on non-API routes.
AI Services Abuse Protection
Protect against AI service abuse by setting hard limits in your AI service dashboards:
Always set up budget alerts and hard limits in your AI service dashboards to prevent unexpected costs.
All AI providers (OpenAI, Replicate, Anthropic, ElevenLabs, Groq) have built-in tools to regulate usage and set maximum spending limits. Make sure to configure these limits in each provider’s dashboard to prevent abuse and unexpected costs.
Email Security
Supabase Magic Links
- Default rate limit: 3 emails per hour without custom SMTP
- With custom SMTP setup, you can configure your own rate limits
Loops Email Service
- Built-in rate limit: 10 requests per second per team
- View Loops API Documentation
Remember to regularly review your security implementations and update them as needed.