What are Railway security best practices?

The best practices specific to Railway (not generic OWASP)

Every "security best practices" list tells you to use HTTPS and rotate keys. Those are table stakes. The list below is what actually matters for Railway apps, based on the risks that appear in real Railway deployments.

1. Enable Private Networking for all database connections

*Why:* Databases accessible from internet without Private Networking. *Do this:* Enable Private Networking for all database connections.

2. Never console

*Why:* Database URLs with credentials visible in logs. *Do this:* Never console.log environment variables. Use structured logging.

3. Use paid tier for production

*Why:* Free tier runs on shared infrastructure. *Do this:* Use paid tier for production. Consider dedicated instances for compliance.

4. Enable branch protection

*Why:* Git push auto-deploys without security review. *Do this:* Enable branch protection. Require PR reviews before deploy.

5. Explicitly delete volumes

*Why:* Deleted services may leave data on volumes. *Do this:* Explicitly delete volumes. Encrypt sensitive data at rest.

Railway-specific: server-side authorization only

With direct Postgres access, authorization has to happen in middleware or row-level policies. Client-side "hide the admin button" patterns are cosmetic — a curl request bypasses them. Every query that touches user data needs a filter by authenticated user ID, enforced at the data layer.

Verification

Even perfect best practices don't prove themselves — the only way to confirm the list above is implemented is to scan a deployed Railway app. VAS probes each of secrets management, database security, network config, container security by actually attempting the attack, not just reading headers or docs.