Vibe-coder pre-Show HN security checklist

Updated

Last-minute hardening before posting to Show HN. Front-page slot lasts 4 hours; bots find your bugs in 6 minutes.

For: Solo founders launching on Show HN tomorrow

Secrets + env vars

  • No NEXT_PUBLIC_ / VITE_ / PUBLIC_ prefix on any secretcritical
  • Run gitleaks: `npx gitleaks detect --source .`critical
  • Add `.claude/`, `.cursor/`, `.continue/` to .gitignore + .npmignorecritical
  • Set vendor-side spend cap on every paid AI API (OpenAI Limits, Anthropic Console)critical

Auth + authorization

  • Every protected route has session checkcritical
  • Every dynamic /[id] route has ownership check (BOLA fix)critical
  • Every Server Action has CSRF guard (origin check or token)critical
  • Admin routes behind explicit role check

Supabase RLS

  • Every table has RLS enabledcritical
  • Every table has tenant-scoped policy (auth.uid() AND tenant claim)critical
  • Default-deny baseline layered under explicit allows
  • Storage buckets have RLS + signed URLs

Rate limits

  • Per-IP rate limit at edge (Upstash / Cloudflare)critical
  • Per-user rate limit (more restrictive than IP)critical
  • Per-tenant spend cap on paid-API routes (cost-firewall)

Monitoring

  • Sentry / equivalent error monitoring activecritical
  • Cloudflare / Vercel Analytics for traffic patterns
  • Slack / email alert for SEV1 errors

Headers + DNS

  • HSTS via next.config.mjscritical
  • X-Frame-Options DENYcritical
  • DNS DNSSEC enabled
  • TLS 1.3 enforced

Final pre-flight

  • IR runbook printed + posted in war-room channelcritical
  • Backup-restore drill completed in past quartercritical
  • Stripe spend cap configured
  • Status page live (status.yourapp.com)