Infrastructure & Technology

DevOps Runbook Series: Security for the Self-Hosted Stack

Six-part DevOps runbook series: Supabase, Next.js, Edge Functions, Trigger.dev, Claude Code audits and security baseline.

Mansoor Ahmed
Mansoor Ahmed
Head of Engineering 5 min read

This series provides six hands-on runbooks for operating a self-hosted app stack securely. It is written for DevOps teams running Supabase, Next.js and related technologies in production who want to secure their infrastructure systematically.

At a Glance - DevOps Runbook Series

  • Six runbooks cover the full self-hosted stack: Supabase, Next.js, Edge Functions, Trigger.dev, Claude Code audits and Security Baseline.
  • Each article contains concrete implementations with real code, verifiable conditions and downloadable Claude Code checklists.
  • The series builds layer by layer - from the platform foundation (Supabase) to a machine-readable YAML baseline for the entire stack.
  • Target audience: DevOps engineers, CTOs, security engineers and developers building on Supabase and Next.js.
  • According to the SANS Institute (2024), organizations with a machine-readable security baseline detect configuration drift 14 times faster.

Why a systematic approach matters

Self-hosting gives you control over data and infrastructure. That control comes with responsibility: every component has its own security requirements, and dependencies between layers stay invisible when reviewed in isolation.

A systematic, machine-readable security approach across all layers makes the difference. According to the SANS Institute (2024), organizations with a machine-readable security baseline detect configuration drift on average 14 times faster than teams without a baseline.

This series walks you through the stack layer by layer and concludes with a YAML-based baseline that consolidates all rules from the individual runbooks.

Series overview

PartArticleFocus areaKey deliverable
1Supabase Self-Hosting RunbookPlatform foundationServer architecture, Docker Compose, RLS
2Running Next.js on Supabase SecurelyApp layerAuth, Middleware, environment separation
3Deploying Supabase Edge Functions SecurelyIntegrationsWebhooks, signatures, CORS
4Running Trigger.dev Background Jobs SecurelyAsync processingTasks, idempotency, concurrency
5Claude Code as Security Control in DevOps WorkflowsAutomated auditsCustom commands, headless mode
6Security Baseline for the Entire StackFull-stack baselineYAML, automated checks

The articles in detail

Part 1 - Supabase Self-Hosting Runbook. Describes a two-server architecture (production and audit), Docker Compose with version-pinned images, service configuration for seven components, and Row Level Security as a requirement on all public tables.

Part 2 - Running Next.js securely. Covers the app layer on top of Supabase: auth flow with PKCE, middleware for route protection, strict environment separation between server and client, and secure API route patterns.

Part 3 - Deploying Edge Functions securely. Focuses on webhook processing with signature verification, CORS configuration, input validation in the Deno runtime, and secure secret management for third-party integrations.

Part 4 - Trigger.dev Background Jobs. Describes the self-hosted setup of Trigger.dev v3, idempotent task definition, concurrency control, retry strategies, and secrets isolation between tasks.

Part 5 - Claude Code as security control. Shows how to use Claude Code as an automated audit tool in DevOps workflows: custom commands, headless audit runs, and CI pipeline integration.

Part 6 - Security Baseline. Consolidates all rules from articles 1 through 5 into a machine-readable security-baseline.yml. Includes deterministic check scripts and integration with the Claude Code audit.

Who this series is for

  • DevOps engineers running self-hosted infrastructure
  • CTOs and technical leads evaluating self-hosting vs. managed services
  • Security engineers auditing app stacks
  • Developers building on Supabase and Next.js

How to use this series

  • Read the articles in order from 1 to 6, as they build on each other
  • Download the Claude Code checklists at the end of each article
  • Implement the recommendations layer by layer in your environment
  • Use the security baseline from article 6 as a daily monitoring gate
Bert Gogolin

Bert Gogolin

CEO & Founder, Gosign

AI Governance Briefing

Enterprise AI, regulation, and infrastructure - once a month, directly from me.

No spam. Unsubscribe anytime. Privacy policy
DevOps Security Self-Hosting Supabase Runbook Series
Share this article
LinkedIn X WhatsApp Email

Frequently Asked Questions

What technologies does the series cover?

The series covers the complete self-hosted stack: Supabase (PostgreSQL, PostgREST, GoTrue, Kong), Next.js as the app layer, Supabase Edge Functions for integrations, Trigger.dev v3 for background jobs, Claude Code for automated security audits, and a YAML-based security baseline for the entire stack.

Do I need to read the articles in order?

The articles build on each other. Article 1 (Supabase) is the foundation. Articles 2 to 4 describe the layers above it. Article 5 (Claude Code) references checks from all previous articles. Article 6 (Baseline) ties everything together. We recommend reading them in order.

Are the checklists free to download?

Yes. Each article includes a downloadable Claude Code prompt that automatically audits all security points from the respective runbook. The checklists are Markdown files that you can use directly with Claude Code in your project.