Securie for SvelteKit
SvelteKit's form actions + load functions are the security boundary. Missing auth on a load function = data leak; missing CSRF on a form action = state-change attack.
Why it matters for SvelteKit
Securie reviews every SvelteKit PR; specialists cover load + actions + hooks.server.
- Designed for SvelteKit 2+
- Catches missing auth on load + actions
- Validates +page.server.ts and hooks.server.ts
- Works with Vercel + Netlify + Cloudflare
Common bugs we catch in SvelteKit
Form action without CSRF protection
+page.server.ts actions accept cross-origin POSTs unless explicitly guarded. Add SvelteKit's CSRF guard or origin check.
Read the guide →load() without session check
+page.server.ts load() runs server-side but defaults to no auth. Add session check + redirect for protected pages.
Read the guide →Env vars leaked via $env/static/public
Anything in $env/static/public ships to client. Confused with $env/static/private = secret leak.
Read the guide →Install in under a minute
- Install the Securie GitHub App
- Securie auto-detects SvelteKit via @sveltejs/kit
- Push any PR
SvelteKit is open-source. Securie is independent.