The essential security checklist for startups and new applications. Ship fast without shipping vulnerabilities.
Check your app against this checklist automatically.
Add .env to .gitignore
Run npm audit fix
Check HTTPS is working
Search code for hardcoded secrets
Test IDOR: can user A access user B's data?
The #1 cause of security incidents in new apps
All secrets in environment variables (not in code)(Required)
5 minHardcoded secrets get committed to git and exposed
.env files added to .gitignore(Required)
1 minPrevents accidentally committing secrets
Different API keys for dev vs production(Required)
10 minLimits blast radius if dev keys are exposed
No secrets in frontend code or client bundles(Required)
15 minClient-side code is visible to everyone
Secrets never logged or included in error messages
10 minLogs are often less protected than you think
Use libraries, don't build your own
Using established auth library (NextAuth, Clerk, Auth0, Supabase Auth)(Required)
1-2 hrsCustom auth is almost always insecure
Strong password requirements (if using password auth)(Required)
10 minWeak passwords are easily brute-forced
Session tokens are secure and expire appropriately(Required)
15 minLong-lived or weak tokens enable account takeovers
Rate limiting on login/signup endpoints
30 minPrevents brute force and credential stuffing
Logout actually invalidates the session
10 minCommon bug: logout just clears client state
Ensure users can only access their own data
Every API endpoint checks user authentication(Required)
30 minUnauthenticated endpoints are open to anyone
Users can only access/modify their own data(Required)
1 hrIDOR (Insecure Direct Object Reference) is extremely common
Admin functions require admin role checks(Required)
30 minRole elevation attacks are common
Authorization checked on server, not just client(Required)
1 hrClient-side checks are trivially bypassed
Protect your data from injection and exposure
Using parameterized queries or ORM (no string concatenation)(Required)
variesSQL injection is still in the OWASP Top 10
Database credentials not exposed to frontend(Required)
10 minDirect database access from browser = game over
RLS (Row Level Security) enabled if using Supabase(Required)
1 hrWithout RLS, any user can read all data
Database backups configured
30 minRecovery option for accidental or malicious data loss
Encrypt data in transit
HTTPS enforced (HTTP redirects to HTTPS)(Required)
15 minHTTP traffic is visible to anyone on the network
Valid SSL certificate (not expired, not self-signed)(Required)
5 minInvalid certs cause warnings and can be bypassed
HSTS header configured
5 minTells browsers to always use HTTPS
Secure cookies (Secure, HttpOnly, SameSite flags)(Required)
15 minPrevents cookie theft via XSS or CSRF
Never trust user input
All user input validated on server side(Required)
variesClient-side validation is bypassed with dev tools
File uploads validated (type, size, content)(Required)
30 minMalicious file uploads can execute code
Output escaped to prevent XSS(Required)
variesReact/Vue handle this automatically - don't bypass it
Avoid dangerouslySetInnerHTML or v-html(Required)
variesThese bypass XSS protection
Don't leak internal information
Production errors don't show stack traces(Required)
15 minStack traces reveal internal paths and code
Generic error messages for users (detailed logs for you)
20 minSpecific errors help attackers
Failed logins don't reveal if user exists
10 minUser enumeration helps targeted attacks
Keep your supply chain clean
No critical vulnerabilities in npm audit(Required)
15 minKnown vulnerabilities are easily exploited
Lock files committed (package-lock.json)
1 minPrevents dependency confusion attacks
Dependencies from official sources only
variesTyposquatting packages contain malware
Running through this checklist manually? Our scanner automates much of it - checking for exposed secrets, security headers, common vulnerabilities, and more.
Scan Your App FreeAt minimum: secrets in environment variables, authentication using a library, authorization checks on every endpoint, and HTTPS. These take a few hours total and prevent the most common attacks. You can add more sophisticated security as you grow.
Not for the basics on this checklist - they take hours, not weeks. However, you should absolutely delay launch if you're handling payments or sensitive health/financial data without proper security. For a simple MVP with basic user data, this checklist is sufficient to launch.
Don't panic, but act quickly. Immediately check for exposed secrets and rotate any that may be compromised. Add the critical items from this checklist. Run a security scan to find issues. Most successful startups launched with imperfect security and improved over time.
For most MVPs, no. A pentest costs $5,000+ and takes weeks. For an early-stage product, automated security scanning plus this checklist is sufficient. Consider a pentest when you have paying customers, handle sensitive data, or need compliance certification.
This checklist covers technical security, not legal compliance. GDPR, CCPA, HIPAA etc. have additional requirements (privacy policies, data processing agreements, specific data handling). Consult a lawyer for compliance requirements specific to your industry and user base.
For an MVP: review this checklist before launch, then whenever you add authentication, payments, or new data types. Once you have real users, run automated security scans weekly or on each deployment. As you grow, schedule formal security reviews quarterly.