Stack security playbooks

Security is stack-specific. Pick yours for the exhaustive checklist.

Next.js + Supabase + Vercel

The default stack for AI-built apps in 2026. The full security playbook: Supabase Row-Level-Security, Next.js middleware and Server Actions, Vercel deploy-gate, env-var hygiene, and the fifteen checks we see fail in every audit.

Next.js + PostgreSQL (no Supabase)

Running Next.js against Postgres directly (Prisma, Drizzle, raw pg) gives you full control and the full security burden. Here is the checklist: SQL injection defense, connection pooling on serverless, TLS, per-endpoint authorization, and least-privilege database roles.

Remix + Supabase

Remix loaders run on every navigation. Actions handle every write. If either is missing an auth check, you have a universal data leak or an unauthenticated mutation. This is the per-route security playbook for Remix + Supabase.

SvelteKit + Supabase

SvelteKit's load functions and form actions are the security surface. +page.server.ts runs server-side on every navigation; +server.ts handles raw API routes. Here is the per-route playbook plus Supabase RLS integration.

Next.js + Clerk

Clerk handles the hard parts of auth correctly by default. Your integration code — matcher gaps, Server Action auth assertions, webhook verification — is where integration bugs ship. Here is the Next.js + Clerk security playbook.

Next.js + Firebase

Firebase's defense is its Security Rules file. Get that right, combine it with Admin SDK discipline and App Check, and you have a defensible architecture. Here is the playbook plus the rules anti-patterns that leak data every month.

Astro + Turso (libSQL)

Astro server endpoints with Turso's libSQL give you edge-SQL wherever the user is. The security considerations: Astro route protection, libSQL parameterized queries, Turso auth-token scope, and the PUBLIC_ env-var bundling trap.

Remix + PlanetScale

Remix with PlanetScale / Vitess is a resilient MySQL-compatible stack for apps that outgrow SQLite-class databases. The security model: parameterized queries, connection pooling, PlanetScale's branch-based schema workflow, and Remix's usual loader/action discipline.

Nuxt + Firebase

Nuxt 3 with Firebase combines Nitro server routes with Firestore's rules-based authorization. The surfaces: Firestore rules (declarative), Nitro /server/api endpoints (imperative), and the runtimeConfig split that silently leaks secrets to the client.

Hono + Cloudflare D1

Hono running on Cloudflare Workers with D1 (SQLite at the edge) is the smallest production stack that still supports SQL. Binding-scope correctness, parameterized queries, and request-size caps are the three things that matter most.

Astro + Turso + Cloudflare Pages

Astro on Cloudflare Pages with Turso libSQL. Edge-deployed with sub-100ms cold starts; security boundary is Astro's island prop pass-through + Turso's libSQL connection-string handling.

Remix + Postgres + Fly.io

Remix on Fly with managed Postgres. Loaders + actions are the security boundary; Fly's health-check + secrets-management is the operational substrate.

Bolt.new + Firebase

Bolt-prototyped apps backed by Firebase. Default Firebase rules are permissive; auth flows are opt-in; Storage buckets default-public. Three layers to lock down before shipping.

Lovable + Supabase (post-BOLA-Apr-2026)

Lovable's Apr 2026 BOLA breach affected 10.3% of scanned apps for 48 days. Hardcoded anon_key + missing RLS on browser-to-Supabase REST calls. This playbook is the post-breach hardening guide.

FastAPI + Postgres + Render

FastAPI + managed Postgres on Render. Dependency injection auth + SQLAlchemy parameter binding + Render's environment-group secrets management.

Rails 8 + Postgres + Render

Rails 8 with Hotwire on managed Postgres. Strong Parameters + Action Cable channel auth + per-user Eloquent scope are the boundaries.

SvelteKit + PlanetScale + Vercel

SvelteKit on Vercel with PlanetScale (MySQL). Form actions + load functions + the PlanetScale serverless-driver-vs-connection-string boundary.

Nuxt 3 + Drizzle + Vercel

Nuxt 3 server routes + Drizzle ORM + Vercel deploys. Security boundaries: server route auth, runtimeConfig public/private split, Drizzle parameter safety.

Phoenix LiveView + Postgres + Fly.io

Phoenix LiveView on Fly with managed Postgres. Channel auth + LiveView event handlers + JWT verification are the boundaries.