Pre-launch security checklist — before your app meets real users

The 42-item checklist to run before your AI-built app hits production. Covers auth, data, secrets, dependencies, headers, logging. Solo-founder-friendly.

For: Solo founders shipping their first app to real users

Authentication

  • Sign-in requires MFA option or WebAuthncritical
  • Password hashing uses Argon2id (if you store passwords)critical
  • JWT verification pins algorithm, issuer, audiencecritical
  • Session cookies: httpOnly + secure + sameSite=lax
  • Sessions rotate on login
  • Password reset flow uses signed, short-lived tokens

Authorization

  • Every /api/[id] route verifies ownershipcritical
  • Supabase RLS enabled on every table (if you use Supabase)critical
  • Admin routes behind a role check
  • Multi-tenant apps scope by tenant in every query

Secrets + env

  • No secrets committed to git (scan with /tools)critical
  • Server secrets never use NEXT_PUBLIC_ / VITE_ / PUBLIC_ prefixcritical
  • Production env vars injected at runtime (Vercel / Fly / secrets manager)
  • Per-key spend caps on every paid API

Dependencies

  • npm audit clean; High/Critical CVEs patchedcritical
  • Dependabot / Renovate enabled
  • No deprecated packages still used

HTTP + headers

  • HTTPS everywhere; HSTS set with long max-agecritical
  • Content-Security-Policy configured
  • X-Frame-Options / X-Content-Type-Options set
  • CORS allowlist (not `*`) for state-changing endpoints

Data + privacy

  • Privacy Policy + ToS published
  • DPA template available for enterprise prospects
  • Stripe / OpenAI / SendGrid keys all server-side
  • User deletion flow tested

Operations

  • Error monitoring (Sentry / similar)
  • Logging scrubs PII and secrets
  • Backups configured and tested
  • Incident response playbook written

Continuous

  • Pre-deploy security gate on every releasecritical
  • Automated dependency updates
  • Auth + data-flow review each quarter