Security for Side Projects

Side projects feel low-stakes, but if they have real users — even a few — you're responsible for their data. The good news: basic security is quick and free.

Scan Your App Now

Get security coverage specific to your use case.

Why Security Matters for Side Projects

Many successful products started as side projects. If yours grows, the security decisions (or lack thereof) you make now follow you. It's much harder to add security retroactively after thousands of users have signed up. Even small projects with a handful of users create liability if you mishandle their data. Email addresses, passwords, and usage data are personal information subject to privacy laws.

Security Risks

Open database

critical

Database accessible without authentication because "it's just a side project."

Mitigation

Enable RLS. It takes 10 minutes and prevents the #1 vulnerability. There's no excuse for an open database, even on a side project.

Exposed secrets in public repos

high

API keys committed to a public GitHub repository.

Mitigation

Use .env files and .gitignore. If you've already committed secrets, rotate them immediately — git history preserves them even after deletion.

No password hashing

high

Storing user passwords in plaintext because "security can wait."

Mitigation

Use Supabase Auth or Firebase Auth. They handle password hashing automatically. Never implement custom password storage.

Security Checklist

Use a managed auth serviceMust Have

Supabase Auth or Firebase Auth. Free tier is more than enough. Never store passwords yourself.

Enable database access controlsMust Have

RLS for Supabase, Security Rules for Firebase. Takes 10 minutes.

Keep secrets out of gitMust Have

Use .env files and add them to .gitignore before your first commit.

HTTPSMust Have

Deploy to Vercel, Netlify, or Railway — they provide HTTPS automatically for free.

Basic error handlingShould Have

Don't show stack traces to users. Catch errors and show generic messages.

Privacy policyNice to Have

Even a simple one-page policy explaining what data you collect.

Real-World Scenario

A developer builds a book tracking app as a weekend project and shares it on Reddit. 200 people sign up. The developer stored passwords in plaintext in Supabase because "I'll fix auth later." Someone discovers the database is open (no RLS), exports all user records, and posts the email/password combinations online. Many of those users reused their passwords on other services.

Frequently Asked Questions

Does security matter for a project with 10 users?

Yes. Those 10 users trusted you with their email and password. If their credentials leak because you skipped security, you're responsible. Plus, basic security (managed auth + RLS + HTTPS) takes less than an hour.

What's the cheapest way to secure a side project?

Free: Supabase Auth (free tier), RLS policies (built-in), Vercel/Netlify hosting (free HTTPS). A VAS Starter Scan is $5 if you want automated checking. Total cost: $0-5.

I committed an API key to GitHub. What do I do?

Rotate the key immediately on your provider's dashboard. The old key is compromised — even if you delete the commit, bots scrape GitHub for exposed keys within minutes. Add the .env file to .gitignore to prevent future leaks.

Security for Other Use Cases

MVP Launch Startups Client Projects

Secure Your Side Projects

VAS automatically scans for the security risks specific to side projects. Get actionable results with step-by-step fixes tailored to your stack.

Scans from $5, results in minutes.

Get Starter Scan View Pricing