Security

Audit~10 min

Check that your app is safe to use — authentication works, data is protected, and APIs are secure.

Run this audit before exposing your app to real users, after adding authentication, or when handling sensitive data.
The most critical audit — security issues can't wait.

Why This Matters

Security issues are the hardest to fix after launch. A data breach destroys trust instantly. Running this audit early and often catches problems when they're still easy to address — before real users and real data are at risk.

What to Check

Four areas to verify. Each area has key questions to answer:

Authentication

Can only the right people get in? Check that login works correctly, sessions expire appropriately, and users can only access what they should.

Data Protection

Is sensitive data handled safely? Check that personal information is encrypted, not logged inappropriately, and users can request their data or deletion.

API Security

Are your APIs protected? Check that inputs are validated, rate limits prevent abuse, and secrets aren't exposed in code or logs.

Secrets Management

Are credentials kept safe? Check that API keys and passwords are in environment variables, not in code, and different between environments.

Stage Expectations

What 'good enough' looks like at each stage:

POC

Light check

  • No secrets in code or git history

  • Mock auth is acceptable

  • Known security gaps documented

MVP

Full audit

  • Real authentication working

  • Basic input validation in place

  • Secrets in environment variables

MMP

Full audit

  • Complete auth flow tested

  • Role-based access enforced

  • Ready for external users

PROD

Full audit

  • Security review or pentest completed

  • Incident response plan exists

  • Security monitoring active

Common Issues

Problems we see often and how to fix them:

Session stored in localStorage

Move to httpOnly cookies with Secure and SameSite flags

No rate limiting on login

Add rate limiting (e.g., 5 attempts per minute per IP)

API key visible in client bundle

Move to server-side API route or server actions

Sensitive data in logs

Add log sanitization to redact PII before writing

Role checks only on frontend

Add server-side validation in API routes and middleware

Run with AI: Tell your agent "Run the Security audit at MVP level" or use /audit security. The agent will check your codebase against these criteria and report findings.

Next Steps

Related audits and resources:

Code Audit

Test coverage affects security — check code quality too.

Operations Audit

Security monitoring and incident response readiness.

Integrations Audit

Third-party API security and secrets handling.

All Audits

Back to the audits overview.