Back to Audits
Data & Security
Is this safe to use?
Review authentication, data protection, and API security. The most critical audit — run this before exposing your app to users.
Stage expectations
POC
Light check
No secrets in code or version control
Mock auth is acceptable
Known security gaps documented
MVP
Light check
Real authentication working
Basic input validation
Secrets in environment variables
MMP
Full check
Complete auth flow tested
Role-based access enforced
Ready for external users
PROD
Complete check
Penetration test ready
Incident response plan exists
Security monitoring in place
Login Security
MVP+- Login form uses HTTPS and secure cookies
- Failed login attempts are rate-limited (e.g., 5 attempts per minute)
- Account lockout after repeated failures (temporary or requires reset)
- CSRF tokens protect login and logout forms
- Login errors don't reveal whether email exists
- Password fields use type="password" and disable autocomplete for sensitive forms
Session Management
MVP+- Session tokens are cryptographically random (128+ bits entropy)
- Sessions expire after reasonable inactivity (e.g., 24h-7d based on sensitivity)
- Sessions are invalidated on logout
- Sessions are invalidated on password change
- Session tokens stored in httpOnly cookies (not localStorage)
- Concurrent session limits enforced (if applicable)
- Session fixation is prevented (new token on auth state change)
Password Policies
MMP+- Minimum password length enforced (12+ characters recommended)
- Passwords hashed with bcrypt, Argon2, or scrypt (never MD5/SHA1)
- Password reset tokens are single-use and expire within 1 hour
- Password reset emails don't confirm if account exists
- Old password required to set new password (when logged in)
- Breached password checking (optional but recommended)
Role-Based Access Control
MMP+- User roles are clearly defined (e.g., admin, member, viewer)
- Role checks happen server-side (never trust client-side only)
- Principle of least privilege applied (default to minimal access)
- Role changes take effect immediately (no stale cached permissions)
- Admin actions require re-authentication for sensitive operations
- Privilege escalation is not possible through UI manipulation
Protected Routes
MVP+- All authenticated routes check session validity
- API routes return 401 for unauthenticated requests
- API routes return 403 for unauthorized requests
- Middleware protects route groups consistently
- Deep links to protected content require authentication
- OAuth/SSO callbacks validate state parameter
Common Issues & Quick Fixes
Session stored in localStorage: Move to httpOnly cookie with Secure and SameSite flags
No rate limiting on login: Add rate limiting middleware (e.g., 5 attempts/minute per IP)
Password reset tokens never expire: Set 1-hour expiry and single-use flag in database
Role checks only on frontend: Add server-side role validation in API routes and middleware
Session persists after password change: Invalidate all sessions on password change
Tools & Resources
Security Testing
- OWASP ZAP — Web app security scanner
- Burp Suite — Security testing toolkit
- npm audit — Dependency vulnerability scanning
- Snyk — Continuous security monitoring
Headers & Configuration
- Security Headers — Scan your security headers
- Mozilla Observatory — Website security analysis
- CSP Evaluator — Test CSP policies
- SSL Labs — SSL/TLS configuration test
References
- OWASP Top 10 — Top web security risks
- OWASP Cheat Sheets — Security implementation guides
- CWE Top 25 — Most dangerous software weaknesses
- Next.js Security — Framework security docs
Supabase Security
- Row Level Security — Database access control
- Auth Helpers — Authentication patterns
- Security Best Practices — Production checklist
AI Agent Commands
Use these prompts with your AI coding agent to run security checks:
Run the Security audit at MVP levelCheck all API routes for authenticationAudit input validation in form handlersFind hardcoded secrets in the codebaseReview CORS and security header configuration