Security
Last updated June 5, 2026
Farmstand is being built with a security-first production path: provider keys stay server-side, farm data is scoped per account, and payment handling runs through Stripe.
Authentication
Farmstand uses Supabase authentication for owner accounts and protected dashboard routes. The dashboard, website studio, billing, farm records, products, orders, and settings routes require an authenticated user.
Data Isolation
Farm records are tied to a farm owner. Supabase row-level security policies scope farm data to the owning user or approved portal customer where applicable. Service-role access is reserved for trusted server routes that need backend operations.
Payments
Stripe secret keys and webhook secrets must live only in server environment variables. Browser code should never receive secret keys. Stripe webhook signatures are verified before payment events update orders or billing state.
Launch Checklist
Before production launch, Farmstand should receive a security review covering Supabase RLS, environment variables, Stripe Connect and Billing flows, domain provisioning, media upload permissions, rate limits, backups, logging, and incident response.
Report an Issue
Send security reports to hello@thenewfarmstand.com.