Oauth

Supabase Auth is one of those tools that feels simple right up until you add a strict Content Security Policy. Then login starts failing in weird ways: OAuth popups stop working, token refresh breaks, realtime disconnects, and you end up loosening your policy until it barely counts as CSP. I’ve done that mistake before. The fix is not to throw https: everywhere and hope for the best. The fix is to understand exactly what Supabase Auth needs, then allow only that. ...

AWS Cognito Hosted UI is convenient right up until you want a serious Content Security Policy. Then you hit the wall: you don’t control the response headers for the managed login pages the way you would on your own app. That changes how you think about CSP completely. This guide is the practical version: what you can and can’t do, where CSP actually applies, and copy-paste examples for the setups I see most often. ...