Last updated: January 12, 2026
Use this checklist to ensure your Neon application is secure before launch. 3 critical items require immediate attention.
No API keys in source code
Store secrets securely
Check for vulnerable packages
Configure RLS or Security Rules
Prevent SQL injection
Protect PII and credentials
Use established auth solutions
Confirm user identity
HttpOnly cookies, proper expiry
CSP, HSTS, X-Frame-Options
No mixed content
Secure, HttpOnly, SameSite flags
VAS automatically checks 7 of these 12 items. Get instant results with detailed remediation guidance.
Run Automated Security ScanCritical items represent immediate security risks that could lead to data breach if not addressed - like missing database access controls or exposed secrets. High priority items are important but typically require an additional vulnerability to exploit.
Low priority items provide defense-in-depth but aren't immediate risks. Address all critical and high items before launch. Low items can be added post-launch, but shouldn't be ignored entirely - they protect against edge cases and future vulnerabilities.
Re-run after major feature additions, authentication changes, or new database tables. Set up automated scanning with VAS to catch regressions. Many teams integrate security scans into their CI/CD pipeline for continuous verification.
Items marked 'Auto-Scanned' can be automatically verified by VAS. Instead of manually checking each item, run a VAS scan to instantly verify these items against your deployed application. Non-automated items require manual verification.