Security Checklists
Step-by-step checklists you can run before launch · from platform-specific lists to full 25-point web app audits.
- Supabase Security Checklist: Protect Your Database in Production · Supabase is not secure by default: you must enable RLS on every table (the anon key is public, so tables without policies are open to anyone), keep the service role key out of frontend code, enable email confirmation and leaked-password protection, lock storage buckets with policies, and restrict Edge Function CORS to your domain.
- Cursor App Security Checklist: 10 Things to Check Before You Ship · Before shipping a Cursor-built app, verify 10 things: no hardcoded secrets, RLS policies on every table, auth guards on every route, server-side authorization, input validation, safe error messages, patched dependencies, security headers, restricted CORS, and proper token storage. Cursor optimizes for working code, so these checks consistently fail without review.
- Firebase Security Checklist: Protect Your AI-Built App · Firebase ships with permissive defaults: Realtime Database test mode is open to everyone and Firestore test mode expires after 30 days. Lock down Firestore, Realtime Database, and Storage rules to deny-by-default, require auth checks in Cloud Functions, restrict API keys by referrer, and enable App Check before launch.
- React Security Checklist: 10 Vulnerabilities to Fix Before Launch · React apps run entirely in the browser, so every bundled secret, VITE_ variable, and route guard is visible to users. Real security means keeping API keys server-side, sanitizing HTML with DOMPurify before dangerouslySetInnerHTML, validating user URLs, auditing npm dependencies, and enforcing authentication on the server for every sensitive call.
- Web App Security Audit Checklist: 25 Checks Before Launch · A pre-launch security audit should verify seven areas: authentication (MFA, brute-force limits), authorization (IDOR, server-side checks), data protection (HTTPS, encryption at rest), API security (input validation, rate limits), infrastructure (secrets, CORS, headers), dependencies (npm audit), and logging. Work through all 25 checks on a repeatable schedule · automated scanners like SimplyScan handle the routine ones.
- Claude Code Security Checklist: Ship Agent-Written Code Safely · Secure Claude Code by securing the session: keep auto-approval off for shell commands, deny-rule .env files so secrets never enter the context, treat everything the agent reads as a potential prompt-injection vector, review every diff before committing, vet MCP servers for source and scope, and scan the deployed app when the work ships.
- How to Check if a Website Is Secure: A 10-Minute Audit · To check if a website is secure, run five free passive checks: confirm HTTP redirects to a valid HTTPS certificate with TLS 1.2+, verify security headers like CSP and HSTS, scan for exposed .env and .git files, check SPF, DKIM, and DMARC records, and look for a public status page. The whole audit takes about ten minutes.
- The Complete Application Security Checklist for 2026 · A complete application security checklist covers eight domains: authentication and access control, API keys and secrets, database rules and RLS, security headers and CSP, injection and input validation, dependencies, monitoring and logging, and deployment hygiene. Work through each list before launch, rerun it after every significant change, and automate the repeatable checks with a scanner.
- Broken Access Control Checklist · Find and Fix OWASP A01 · Broken access control (OWASP A01) is when your app lets a user do something they should not · read another user's data, edit a record they do not own, or reach an admin action. This checklist groups the fixes by layer · object-level ownership checks, function-level role checks, database RLS, and verified JWT sessions.
Browse other categories: Platform Security Guides · Vulnerabilities & Fixes · Database & API Security · Comparisons & Reviews · Speed & Performance · AI Coding Security · Security Fundamentals
All security guides