20 security checks every AI-era project should pass.
20 remaining — keep going!
Verify .env, node_modules, .next, dist, *.pem, and *.key are excluded from version control.
Scan for API keys (OpenAI, Stripe, AWS), database URIs, Bearer tokens, and generic secrets in source files.
A .env.example file exists with placeholder values so new developers know which environment variables to set.
All API keys, database credentials, and third-party tokens are loaded from environment variables, not source code.
Run npm audit (or equivalent) to check for known vulnerabilities in third-party packages.
package-lock.json, yarn.lock, or pnpm-lock.yaml is committed to ensure reproducible builds and prevent supply chain attacks.
A security.txt file (RFC 9116) with Contact and Expires fields exists at /.well-known/security.txt.
A SECURITY.md file documents how to report security vulnerabilities in your project.
HTTPS is enforced with a valid certificate. HTTP requests redirect to HTTPS. TLS 1.2+ is required.
Verify Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy are set.
Cross-Origin Resource Sharing is configured with specific allowed origins — not wildcard (*).
A Content-Security-Policy header is set with appropriate directives to prevent XSS and data injection.
API routes have rate limiting to prevent abuse, brute force attacks, and denial of service.
Auth is handled by a proven provider (Clerk, Supabase Auth, NextAuth, Auth0) rather than custom implementation.
State-changing requests are protected against Cross-Site Request Forgery with tokens or SameSite cookies.
All API endpoints and form handlers validate input using schema-based validation (Zod, Joi, etc.).
Database queries use parameterized queries or an ORM — never string concatenation with user input.
User input is sanitized before rendering. No use of dangerouslySetInnerHTML or innerHTML with untrusted data.
API error responses show user-friendly messages, not stack traces, database queries, or internal paths.
Authentication events, authorization failures, and suspicious activity are logged and monitored.