Run a Security Checklist
A comprehensive pre-launch security review covering auth, data, APIs, dependencies, and infrastructure.
10-15 min|Intermediate
LaunchDeep WorkDeveloperFounder
Prompt Template
Run a security checklist for my [framework] app before launch. Check each category and tell me pass/fail/not-applicable: Authentication: - [ ] Passwords hashed with bcrypt/argon2 (not MD5/SHA) - [ ] Session tokens are HttpOnly, Secure, SameSite cookies - [ ] OAuth callback URLs are validated (no open redirects) - [ ] Rate limiting on login/signup endpoints Data protection: - [ ] No sensitive data in URL parameters (use POST body or headers) - [ ] Database queries use parameterized queries (no string concatenation) - [ ] File uploads validate file type by magic bytes, not just extension - [ ] User-generated content is sanitized before rendering (XSS prevention) API security: - [ ] All endpoints check authentication where required - [ ] Authorization checked (user can only access their own data) - [ ] CORS configured to allow only your domains - [ ] API responses don't leak internal errors or stack traces to clients Dependencies: - [ ] No known vulnerabilities (npm audit / snyk) - [ ] .env and secrets not committed to git - [ ] Third-party scripts loaded from trusted sources only Infrastructure: - [ ] HTTPS enforced (no HTTP) - [ ] Security headers set (CSP, X-Frame-Options, X-Content-Type-Options) - [ ] Error pages don't expose stack traces or system info For each failing item, explain the risk and show the fix." **Output format:** Checklist with pass/fail and fixes for failures.
A structured checklist is exhaustive where human memory is not. Going category by category ensures nothing gets skipped.
Before launch, and quarterly after launch.