I'm developing my first admin panel and I have some security concerns that I'd like to address. The panel will be used to manage users and their subscription statuses, as well as display analytics. It needs to be accessible from various IP addresses. Here's how I've set it up so far:
- I'm using Supabase with Multi-Factor Authentication (MFA).
- Users are assigned admin status in Supabase, and only those users can access the panel.
- I'm implementing a strong password policy and requiring MFA via a TOTP/authentication app for every login.
- The page URL is randomly generated, so it's not easily guessable (e.g., not /admin.html).
- No sensitive data is stored in localStorage or sessionStorage.
- There are no dependencies on a CDN.
- I've added rate limiting on the client side and I'm looking into server-side options as well.
I'd like to know if there are any other security measures I should consider. Is having a dedicated admin page a risk? Should I have different dashboard views for certain login emails? Or should I rely solely on Supabase for all administrative needs? Thanks!
1 Answer
Make sure to validate everything on your server side — client-side validation can easily be bypassed. Relying on obscure paths for security won't help either; true security requires robust checks on requests. I'm also a fan of whitelisting backend IPs, but that might not be necessary for everyone. Remember to regularly update and patch your dependencies, too!
Thanks! I’ll focus on improving server-side validation.