Sign InCoursePricing

Security Checklist

Never expose your keys. This is like handing a stranger your wallet and password combined. Run through this before you deploy anything.

By Ryan Frizelle · 3 min read

I learned this the hard way. API keys are how platforms talk to each other. If someone gets ahold of your keys, they can edit your apps, and can spend your API tokens if your tokens cost money (you will know API keys cost money if you had to put a card down for a platform). This checklist is what I run through before every single deploy.

Authentication checks:

  1. 1.Every API route calls requireAuth(). No exceptions.
  2. 2.Session tokens stored in HTTP-only cookies.
  3. 3.Password minimum 8 characters enforced.
  4. 4.Magic link or OAuth preferred over password-based auth.

Database checks:

  1. 1.Row Level Security (RLS) enabled on every table. This is the single most important thing in Supabase.
  2. 2.All queries scoped to user_id so users can only see their own data.
  3. 3.No raw SQL. Use parameterized queries (Drizzle ORM handles this for you).

Environment checks:

  1. 1..env.local is in your .gitignore. If it is not, your secrets will be pushed to GitHub.
  2. 2.No secrets in client-side code. Anything with NEXT_PUBLIC_ prefix is visible to everyone.
  3. 3.Service role key only used server-side. Never in a component or page file.

API route checks:

  1. 1.Input validation on all endpoints. Never trust what comes in from the client.
  2. 2.Generic error messages only. No stack traces, no internal details.
  3. 3.Rate limiting on auth endpoints to prevent brute force.
  4. 4.Webhook signature verification on payment endpoints.

Security audit prompt for Claude Code

Audit this entire project for security issues. Check every API route for auth protection, every database query for RLS compliance, every environment variable for exposure risk, and every form for input validation. List every issue you find with the file path and line number.

Not ready yet? I drop new free guides every week.

The full course includes my complete security.ts utility library that handles auth, input validation, and rate limiting out of the box.

Liked this? There's 30x more in the course.

Getting Started setup guide + prompts
Quick Wins library (growing monthly)
Step-by-step website and dashboard builds
All future sections + updates forever
See the Full Course

One-time purchase. Keep forever.

I publish new free guides every week.

Drop your email and I'll send you the next one.

Or check out the full course. One-time purchase. Yours forever.

See the Full Course