Security Audit Checklist
A security audit reviews every layer of your application for vulnerabilities. This checklist covers the essential checks you should perform before launching or after major changes. Use it as a systematic guide to find and fix security issues.
Find security issues automatically before attackers do.
Follow These Steps
Check authentication security
Verify that authentication is properly implemented.
// Checklist:
// [ ] Passwords hashed with bcrypt (12+ rounds) or Argon2
// [ ] Session cookies use HttpOnly, Secure, SameSite
// [ ] JWT tokens have short expiration (15-30 min)
// [ ] Rate limiting on login endpoints (5-10 per 15 min)
// [ ] Email verification enabled
// [ ] Password reset tokens expire after single use
// [ ] 2FA available for sensitive accountsReview authorization controls
Ensure users can only access their own resources.
// Checklist:
// [ ] Every API endpoint checks authentication
// [ ] Resource ownership verified before access
// [ ] Admin functions protected by role checks
// [ ] RLS enabled on all database tables (Supabase)
// [ ] Security Rules configured (Firebase)
// [ ] No IDOR vulnerabilities (sequential ID guessing)Verify security headers
Check that all security headers are present.
# Check with curl
curl -I https://yourdomain.com
# Required headers:
# X-Content-Type-Options: nosniff
# X-Frame-Options: DENY
# Strict-Transport-Security: max-age=63072000
# Referrer-Policy: strict-origin-when-cross-origin
# Content-Security-Policy: (configured)
# Permissions-Policy: camera=(), microphone=()Audit secrets and environment variables
Verify no secrets are exposed.
# Search for hardcoded secrets
grep -rn "sk-\|password.*=.*[\x27\x22]\|secret" src/ --include="*.ts" --include="*.js"
# Check .gitignore includes .env
cat .gitignore | grep -i env
# Verify no NEXT_PUBLIC_ secrets
grep -rn "NEXT_PUBLIC_.*SECRET\|NEXT_PUBLIC_.*KEY.*sk" .Check database security
Verify database access controls and query safety.
// Checklist:
// [ ] SSL enabled for database connections
// [ ] Parameterized queries used (no string concatenation)
// [ ] Database user has least-privilege access
// [ ] RLS enabled on all tables (Supabase)
// [ ] No raw SQL with user inputReview input validation
Verify all user input is validated.
// Checklist:
// [ ] All API endpoints validate input with Zod or similar
// [ ] File uploads validate type by content (not just extension)
// [ ] File uploads enforce size limits
// [ ] No innerHTML or dangerouslySetInnerHTML with unescaped user inputCheck dependency security
Scan for vulnerable dependencies.
# Check for known vulnerabilities
npm audit
# Update vulnerable packages
npm audit fixRun an automated security scan
Use VAS to automatically check for all the above issues and more.
Automated scanning catches many issues but is not a replacement for manual review. Use both.
What You'll Achieve
You have systematically reviewed authentication, authorization, headers, secrets, database security, input validation, and dependencies. All identified issues are documented and prioritized for fixing.
Common Mistakes to Avoid
Mistake
Only checking the items you know about
Fix
Use a comprehensive checklist like this one. Security issues hide in areas you do not think to check.
Mistake
Performing a one-time audit and never revisiting
Fix
Run this checklist before every major launch, after significant code changes, and on a quarterly schedule.
Frequently Asked Questions
How often should I perform a security audit?
Before every production launch, after major code changes, when team members leave, and on a quarterly schedule at minimum.
Can automated tools replace manual audits?
Automated tools like VAS catch many common issues but cannot understand business logic or complex authorization flows. Use automated scanning as a supplement to manual review, not a replacement.
Ready to Secure Your App?
VAS automatically scans your deployed app for the security issues covered in this guide. Get actionable results in minutes.
Start Security Scan