SvelteKit + PlanetScale + Vercel security playbook

Updated Apr 24, 2026

SvelteKit + PlanetScale is a strong serverless stack. Security questions: load + actions auth, $env private/public scope confusion, PlanetScale connection-string handling.

What breaks on this stack

Form action without CSRF

+page.server.ts actions need SvelteKit's CSRF or origin guard.

Read the guide →

load() without session check

+page.server.ts load() defaults to no auth.

Read the guide →

$env/static/public secret leak

Server secrets in $env/static/public ship to client.

Read the guide →

PlanetScale connection string with admin scope

Use scoped service tokens, not the master connection string.

Read the guide →

Pre-ship checklist

hooks.server.ts session check
form actions CSRF-protected
$env/static/private for secrets
PlanetScale scoped service tokens
Vercel sensitive-flag on env vars
Drizzle / Kysely for SQL safety

Starter config

// hooks.server.ts
export async function handle({ event, resolve }) {
  const session = event.cookies.get("session");
  event.locals.user = session ? await verifySession(session) : null;
  if (event.url.pathname.startsWith("/app") && !event.locals.user) {
    return new Response(null, { status: 303, headers: { location: "/login" } });
  }
  return resolve(event);
}