I don't know if my app is safe — where do I start?

Updated

You don't need to learn security. You need a 20-minute assessment to know where you stand.

You're months into building your product. You've been heads-down on features. Now you're 2 weeks from launching to real users and you realize you have no idea if any of it is safe.

What happens next

  1. Step 1 — check your deployed URL

    Run securityheaders.com on your live URL. Missing CSP / HSTS / X-Frame-Options are red flags. Free, no signup.

  2. Step 2 — check your database access

    Supabase: Studio → Authentication → Policies. Every user-data table needs RLS ON + a policy referencing `auth.uid()`. Firebase: your rules file must not be default-allow.

  3. Step 3 — scan your repo for secrets

    Run `trufflehog git file://.` or `gitleaks detect --source .` locally. Both open-source, both free, both scan full history.

  4. Step 4 — request a Securie review

    Request access at /scan. When your repo is enabled, Securie runs Securie review with plain-English findings and proposed PR fixes.

Without Securie

You hire a consultant for $5K to audit your app. They send you a PDF with 40 findings. You fix them, ship, and then you're blind again until the next audit.

With Securie

Once your repo is enabled, you get continuous coverage: every commit reviewed automatically, with proof and proposed fixes where Securie can reproduce the issue.

Exactly what to do right now

  1. Run securityheaders.com on your live URL
  2. In Supabase Studio, verify RLS is ON for every user-data table
  3. Run trufflehog or gitleaks locally on your repo
  4. Read /checklist/pre-launch-security-checklist
  5. Request Securie access at /scan