The Ship Checklist

Privacy policy if you collect user data

Even a one-pager. State what you collect, why, where it lives, and how someone deletes it. Link it from your footer and sign-up flow.

Know where user data is stored

Supabase project? Vercel KV? A spreadsheet? Write it down. You can't secure or delete what you can't locate.

Check security headers

Run your live URL through securityheaders.com. Aim for at least CSP, X-Frame-Options, and Strict-Transport-Security set.

Scan against OWASP basics

Skim the OWASP Top 10. You don't need a pentest — just confirm you didn't ship the obvious ones (auth bypass, IDOR, open redirects).

Look for SQL injection, XSS, and auth issues

Parameterize every query. Never inject user strings into HTML. Confirm protected routes actually check the session on the server, not just hide a button in the UI.

Make sure .env values are not leaking

Anything prefixed NEXT_PUBLIC_, VITE_, or REACT_APP_ ships to the browser. Audit your env file and move anything sensitive to a server-only name.

Check API responses for sensitive data

Don't return the full user row when the client only needs a name. Strip password hashes, tokens, internal IDs, and admin flags before responding.

Remove secrets from logs

Stripe webhooks, auth tokens, and prompt payloads love to end up in console.log. Search your code for log statements before going live.

Never expose API keys in frontend code

If your OpenAI/Anthropic/Stripe key shows up in the browser bundle, anyone can extract it. Rotate it now and proxy through your backend.

Move keys server-side or behind a proxy

Use a Next.js route handler, Edge function, or thin proxy. The browser asks your server, your server talks to the upstream API with the secret.

Add rate limits before someone burns your API bill

Per-IP and per-user limits on anything that hits a paid model. Upstash, Vercel KV, or a simple in-memory token bucket — pick one and turn it on before launch.