Securie for SvelteKit
Securie covers SvelteKit's hooks, server-route, and form-actions model. Missing auth in `load` functions, misconfigured hooks, and CSRF in form actions are all caught pre-merge.
Why it matters for SvelteKit
Install on your SvelteKit repo. Every `+page.server.ts`, `+server.ts`, and hooks file is reviewed.
- Covers SvelteKit 2 App Router (+page.server / +server / +layout)
- Validates handle / handleFetch hooks for auth coverage
- Detects form actions without CSRF
- Checks `PUBLIC_` env vars + static asset leakage
Common bugs we catch in SvelteKit
Missing auth in +page.server.ts load()
SvelteKit calls load() on every navigation and server-side render. Missing auth = universal data leak.
Hooks.server.ts handle() that returns on error
Hooks that silently return on auth errors let unauthenticated requests through. Securie models hook control flow.
Form actions without origin check
SvelteKit form actions accept cross-origin POSTs unless you add a check. Securie requires explicit CSRF.
Install in under a minute
- Install the Securie GitHub App on your SvelteKit repo
- Securie detects svelte.config.js + your adapter
- Push any change. Findings appear on the PR.
SvelteKit is a project of the Svelte team. Securie is independent.