Stack Security Guides
Short, opinionated guides for the exact security patterns AI-built apps get wrong.
- RLS on Supabase · The Practical Guide · Row Level Security (RLS) on Supabase in plain English. What it is, why it's mandatory for the public schema, and the misconfigurations that break it.
- Leaked Password Protection on Supabase · Supabase can check passwords against HaveIBeenPwned during signup. It's off by default. Here's why to turn it on and how.
- Firebase Security Rules · The Short Guide · Firestore and Storage Security Rules explained. The `if true` trap, deny-by-default pattern, and how to audit rules with the simulator.
- Next.js Security Headers · A Working Config · The Next.js `headers()` config for CSP, HSTS, X-Frame-Options, and Permissions-Policy · with a copy-paste starter that scores A+ on securityheaders.com.
- Vercel Security Checklist · Before You Ship · The Vercel security checklist: env vars, preview protection, headers, route-handler auth. Everything to check before going live.
- Supabase Auth · The Security Settings That Matter · The Supabase Auth settings that actually change your security posture: email confirmation, leaked-password check, JWT expiry, and OTP length.
- Environment Variables · A Security Cheatsheet · Which env-var prefixes ship to the browser, which stay server-side, and how to catch leaks before they reach production.
- CORS · How to Configure It Without Breaking Things · CORS in one page: what `Access-Control-Allow-Origin: *` really means, when to allow credentials, and safe production defaults.