What are Render security best practices?

The best practices specific to Render (not generic OWASP)

Every "security best practices" list tells you to use HTTPS and rotate keys. Those are table stakes. The list below is what actually matters for Render apps, based on the risks that appear in real Render deployments.

1. Disable auto-deploy for production

*Why:* Push-to-deploy can ship vulnerable code without review. *Do this:* Disable auto-deploy for production. Use manual deploy with review.

2. Create separate groups for prod/staging

*Why:* Team-wide env groups may expose secrets to unauthorized services. *Do this:* Create separate groups for prod/staging. Limit group access.

3. Configure separate env vars for preview environments

*Why:* Preview environments share main app's environment by default. *Do this:* Configure separate env vars for preview environments.

4. Use paid tier for production workloads

*Why:* Services sleep, security monitoring may fail silently. *Do this:* Use paid tier for production workloads.

5. Implement branch protection in your Git provider

*Why:* Any push triggers deploy without approval. *Do this:* Implement branch protection in your Git provider.

Render-specific: server-side authorization only

With direct Postgres access, authorization has to happen in middleware or row-level policies. Client-side "hide the admin button" patterns are cosmetic — a curl request bypasses them. Every query that touches user data needs a filter by authenticated user ID, enforced at the data layer.

Verification

Even perfect best practices don't prove themselves — the only way to confirm the list above is implemented is to scan a deployed Render app. VAS probes each of env groups, database access, service auth, deploy config by actually attempting the attack, not just reading headers or docs.