Security checklists
Copy-paste security checklists for the moments when you are about to ship something new.
Pre-launch security checklist — before your app meets real users
The 42-item checklist to run before your AI-built app hits production. Covers auth, data, secrets, dependencies, headers, logging. Solo-founder-friendly.
Supabase launch checklist — ship without leaking data
Twenty-item checklist before your Supabase-backed app hits real users. RLS policies, bucket permissions, function auth, service-role hygiene.
Next.js security checklist — 2026 production ready
The full Next.js security checklist for 2026. Middleware, server actions, env vars, headers, dependencies. Works for 14 and 15.
AI feature security checklist — LLMs, RAG, agents
The security checklist for adding AI features to your app. Prompt injection, tool-scope, RAG poisoning, rate limits, cost control.
Open-source release security checklist
Before you publish your repo, your npm package, or your PyPI library — run this checklist. Covers history, secrets, dependencies, provenance.
Vibe coding security checklist — before your app goes viral
Twenty checks every vibe-coded app (Lovable / Bolt / v0 / Replit / Cursor) should pass before shipping to real users. The defense for when the Twitter tweet hits.
Vibe-coder pre-Show HN security checklist
Last-minute hardening before posting to Show HN. Front-page slot lasts 4 hours; bots find your bugs in 6 minutes.
Supabase RLS audit playbook
Per-table RLS review. Run quarterly + before any major release. Lovable Apr 2026 BOLA breach affected 10.3% of apps because of missing RLS — this is the structural fix.
OpenAI / Anthropic key leaked — 10-minute emergency response
Documented Claude Opus victim ran 4.5 days at ~$50K. Here's the 10-minute revoke + rotate + audit playbook.