I forked a popular vibe-coding template. Is it secure by default?
No — most popular templates ship with intentionally open defaults so new users can see things working quickly. RLS is often disabled or permissive, auth is email-only, rate limits don't exist, and example `.env` files may contain live keys from the template author. Before you launch, swap every placeholder key, turn on RLS, add rate limits, and enable email verification.
Templates prioritize 'works in 30 seconds' over 'safe in 30 seconds'. They can't really be secure by default, because: - Secure defaults would require tenant setup, which templates skip - The author has no idea what your data model is, so RLS can't be written - Example `.env` files exist to show structure, and sometimes ship with real (revoked, hopefully) keys
The pre-launch checklist when forking a template:
**1. Rotate every key in .env.example or .env.local.** Assume any value there is either a placeholder or (worse) a live key the author forgot to revoke. Generate fresh ones for your own app.
**2. Enable RLS on every user-data table.** Templates usually create tables with RLS disabled so the demo works. Go to Supabase → your tables → enable RLS and write policies scoped by `auth.uid()`.
**3. Turn on email verification.** In Supabase Auth → enable 'Confirm email'. Template demos usually disable this for faster sign-ups.
**4. Add rate limits.** Templates almost never include them. Use Upstash Ratelimit on login, signup, reset, and any OpenAI/Anthropic endpoint.
**5. Remove the author's social links / analytics IDs.** Templates often ship with the author's Google Analytics, Plausible, PostHog, or Clerk config embedded. These should all be yours.
**6. Check for demo accounts.** Some templates include a demo user (demo@example.com / password). Delete before launch.
**7. Check the auth config.** Templates often default to email+password with no OAuth. If you want Google / GitHub / Apple login, add those. If you don't, make sure the password-requirements are reasonable (min 10 chars, not just min 6).
**What templates DO get right:** most established templates use Supabase Auth / Clerk / Auth0 correctly, follow framework conventions for API routes, and handle common crypto correctly. You don't need to replace these; just verify.
Securie's free scan (launching this year) will find all of the above without you having to audit line-by-line. Join the list for a week-1 run — most scans on forked templates come back with 5-10 issues, all fixable in a weekend.