Stack security playbooks
Security is stack-specific. Pick yours for the exhaustive checklist.
Next.js + Supabase + Vercel
The default stack for AI-built apps in 2026. The full security playbook: Supabase Row-Level-Security, Next.js middleware and Server Actions, Vercel deploy-gate, env-var hygiene, and the fifteen checks we see fail in every audit.
Next.js + PostgreSQL (no Supabase)
Running Next.js against Postgres directly (Prisma, Drizzle, raw pg) gives you full control and the full security burden. Here is the checklist: SQL injection defense, connection pooling on serverless, TLS, per-endpoint authorization, and least-privilege database roles.
Remix + Supabase
Remix loaders run on every navigation. Actions handle every write. If either is missing an auth check, you have a universal data leak or an unauthenticated mutation. This is the per-route security playbook for Remix + Supabase.
SvelteKit + Supabase
SvelteKit's load functions and form actions are the security surface. +page.server.ts runs server-side on every navigation; +server.ts handles raw API routes. Here is the per-route playbook plus Supabase RLS integration.
Next.js + Clerk
Clerk handles the hard parts of auth correctly by default. Your integration code — matcher gaps, Server Action auth assertions, webhook verification — is where integration bugs ship. Here is the Next.js + Clerk security playbook.
Next.js + Firebase
Firebase's defense is its Security Rules file. Get that right, combine it with Admin SDK discipline and App Check, and you have a defensible architecture. Here is the playbook plus the rules anti-patterns that leak data every month.
Astro + Turso (libSQL)
Astro server endpoints with Turso's libSQL give you edge-SQL wherever the user is. The security considerations: Astro route protection, libSQL parameterized queries, Turso auth-token scope, and the PUBLIC_ env-var bundling trap.
Remix + PlanetScale
Remix with PlanetScale / Vitess is a resilient MySQL-compatible stack for apps that outgrow SQLite-class databases. The security model: parameterized queries, connection pooling, PlanetScale's branch-based schema workflow, and Remix's usual loader/action discipline.
Nuxt + Firebase
Nuxt 3 with Firebase combines Nitro server routes with Firestore's rules-based authorization. The surfaces: Firestore rules (declarative), Nitro /server/api endpoints (imperative), and the runtimeConfig split that silently leaks secrets to the client.
Hono + Cloudflare D1
Hono running on Cloudflare Workers with D1 (SQLite at the edge) is the smallest production stack that still supports SQL. Binding-scope correctness, parameterized queries, and request-size caps are the three things that matter most.