Security
Security Checklist
Security Basics: - [ ] Authentication required for protected routes - [ ] Passwords hashed (bcrypt/argon2), never stored plain text - [ ] API keys in environment variables, not code - [ ] HTTPS only in production - [ ] Input validated on server side - [ ] SQL injection prevented (use parameterized queries) - [ ] XSS prevented (sanitize user input) - [ ] CSRF tokens on forms - [ ] Rate limiting on API endpoints - [ ] User sessions expire (30min-1hr typical)
See COMMON-VULNS.md for detailed checks.
Critical: Never Store These in Code
Move to environment variables:
- •Database passwords
- •API keys (Stripe, SendGrid, etc)
- •JWT secrets
- •OAuth client secrets
- •Encryption keys
Tell AI:
Store API keys in .env file, not in code. Add .env to .gitignore. Access via process.env.API_KEY
Authentication Basics
Minimum requirements:
- •Passwords: 8+ chars, require number/symbol
- •Hash passwords (bcrypt with 10+ rounds)
- •Email verification for signups
- •Password reset via email only
- •Sessions expire (30-60 min idle)
- •Logout clears session completely
Tell AI:
Add authentication: - bcrypt for password hashing (12 rounds) - Email verification required - Session timeout: 30 minutes - Password requirements: 8+ chars, 1 number, 1 symbol
See SECURITY-PROMPTS.md for implementation details.
Data Protection
Always encrypt:
- •Passwords (hashed, not encrypted)
- •Payment info (use Stripe, don't store cards)
- •Personal identifiable information (PII)
Never log:
- •Passwords (even hashed)
- •Credit card numbers
- •API keys
- •Session tokens
Tell AI:
Never log sensitive data. Replace passwords/tokens with "[REDACTED]" in logs.
API Security
Required for all API endpoints:
- •Authentication check
- •Rate limiting (prevent abuse)
- •Input validation
- •Error messages don't leak info
Tell AI:
Add to all API routes: - Require valid auth token - Rate limit: 100 requests/minute per IP - Validate all inputs (reject invalid) - Generic error messages (no stack traces to users)
Common Vulnerabilities
Most common in AI-built apps:
- •Exposed API keys - In code instead of .env
- •No rate limiting - APIs can be spammed
- •Missing auth checks - Routes accessible without login
- •SQL injection - Raw SQL with user input
- •XSS attacks - Unescaped user content displayed
See COMMON-VULNS.md for how to check.
Security Prompts for AI
Adding authentication:
Add authentication to this route. Require valid JWT token. Return 401 if missing/invalid. Don't expose error details.
Rate limiting:
Add rate limiting: - 100 requests/minute per IP - Return 429 "Too many requests" if exceeded - Use sliding window, not fixed
Input validation:
Validate all user inputs: - Email: valid format - Password: 8+ chars, 1 number, 1 symbol - Username: alphanumeric only, 3-20 chars Reject invalid input with clear error message
See SECURITY-PROMPTS.md for more.
Pre-Launch Security Review
Before deploying:
Production Security: - [ ] All secrets in environment variables - [ ] HTTPS enforced (no HTTP) - [ ] Database backups configured - [ ] Rate limiting on all APIs - [ ] Error pages don't show stack traces - [ ] Admin routes protected - [ ] File uploads validated (type, size) - [ ] CORS configured (not wildcard "*")
When to Get Security Audit
Signs you need expert review:
- •Handling payments directly (not Stripe)
- •Storing health/financial data
- •Multi-tenant with data isolation
- •Over 1,000 users
- •Processing sensitive PII
For most MVPs: Following this checklist is sufficient.
Common Founder Mistakes
| Mistake | Fix |
|---|---|
| API keys in code | Move to .env |
| No rate limiting | Add to all endpoints |
| Plain text passwords | Use bcrypt |
| HTTP in production | Force HTTPS |
| Accepting all CORS | Whitelist domains |
| No input validation | Validate server-side |
| Detailed error messages | Generic messages only |
Quick Wins
Easy security improvements:
- •Add Helmet.js (Node) - Sets security headers
- •Use HTTPS everywhere - Force in production
- •Add rate limiting - Prevents abuse
- •Environment variables - Keep secrets safe
- •Update dependencies - Fix known vulnerabilities
Tell AI:
Add helmet.js for security headers. Configure for production (HTTPS, CSP, XSS protection).
Testing Security
Quick checks:
Exposed secrets:
grep -r "api_key" src/ grep -r "password" src/ # Should only find references to env vars
No auth bypass:
- •Try accessing protected routes without login
- •Should redirect to login or return 401
Rate limiting works:
- •Hit API endpoint 100 times quickly
- •Should get 429 error
Success Looks Like
✅ No secrets in code (all in .env)
✅ Can't access protected routes without auth
✅ Passwords hashed, never stored plain text
✅ Rate limiting prevents abuse
✅ HTTPS enforced in production
✅ Input validated on server side