Security Playbooks

Stack-specific security guides written for beginners. Practical, with code examples you can copy-paste.

What are playbooks?

Step-by-step security guides for specific tech stacks. Each one covers the most important things to get right, with code examples and checklists.

Securing a Next.js + Supabase App

Row Level Security, API route protection, environment variables, auth sessions with @supabase/ssr, CSP headers, and rate limiting. Covers the most common mistakes AI tools make with Supabase.

Next.jsSupabaseRLSAuth

Read on GitHub

Securing an Express + MongoDB App

Helmet.js setup, MongoDB injection prevention, CORS configuration, rate limiting, session management with connect-mongo, and input validation with Zod.

ExpressMongoDBHelmetAPI

Read on GitHub

Security Checklist for AI-Built Apps

Phantom function calls, hardcoded credentials, missing validation, eval() dangers, and placeholder auth that looks real but isn't. A review checklist for any AI-generated codebase.

AIReviewChecklistAll Stacks

Read on GitHub

Want to contribute a playbook? Open an issue or submit a PR to docs/playbooks/