Important questions about Rate Limiting & Reverse Proxies

[thedrkness]

Hey, I am currently creating a supabase project using express for the backend and next js for the front end. I will be hosting both on a digital ocean vps with nginx. Ive been looking around a bit on the reddit, discord & github, and I had a few questions when it comes to DDOS protection and mitigations:

For context, im not using the client at all and rather just making fetch calls from next js ---> express. I have RLS enabled and am storing the user oauth tokens in a cookie

With the custom domain product offered by supabase. Will I be able to add rate limits through cloudflare for the subdomain I link to supabase? When it comes to oauth redirect url, will this be offiscated aswell in the network tab when redirecting to an oauth provider (/callback) url?

If I wanted to reverse proxy without a custom domain the supabase url to my domain, will I be able to set that oauth redirect url to my domain (is there a workaround for that url so I can hide it from the clients network tab)?

Overall im trying to understand the best way to mitigate a ddos attack to the URL. I understand we can setup rate limits for tables, but having such a vulnerability that can run up costs is something I would like to avoid if possible. I have read all the posts related to this on the reddit, discord and github discussions and havent found a concise answer other than reverse proxies. Thanks for any insight 🙂

[Shahzad6077]

Hey @thedrkness, were you able to find any solution?