HOW TO SECURE HOSTINGER HORIZONS

Step-by-step guide to securing your Hostinger Horizons AI-powered website and app builder.

Hostinger Horizons Security Context

Hostinger Horizons generates apps via prompt and deploys them on Hostinger’s hosting. The hosting layer (TLS, infrastructure, basic DDoS) is taken care of; everything above the OS is your responsibility — and Horizons’ generator inherits the same default-insecure patterns we see across the AI-builder space. The recurring shape: AI generates a working CRUD app with no auth checks, no input validation, and the database credential committed to a config file. Horizons makes this fast; the audit below makes it shippable.

Security Checklist

1. Review generated authentication code (Critical)

Open the generated auth files (auth/, lib/auth.*, or wherever your generator placed them). Verify three things: (1) password hashing uses bcrypt / argon2 — not MD5, SHA-256, or === plaintext; (2) sessions use httpOnly cookies, not localStorage; (3) email verification is enforced before login (not just before “sensitive” actions). The fastest tell: search the codebase for localStorage.setItem('token' — every match is a session-token-in-XSS-reach bug.

2. Audit exposed API endpoints (Critical)

List every route file. For each handler, check the first three lines for an auth gate. The Horizons generator routinely produces files like app.post('/api/orders', (req, res) => { /* no auth */ }). Add an explicit middleware (requireAuth or equivalent) on every protected route — the route’s name is not security.

3. Check for hardcoded secrets (Critical)

grep -rE "sk_live|sk_test|service_role|AKIA|SG\\.|xoxb-" .. Every match needs to be: rotated at the provider (because the secret is in git history forever), removed from code, and moved to an environment variable on the Hostinger panel. The provider rotation is non-optional — the secret is already exposed even if you delete it from code.

4. Configure HTTPS for the custom domain (Critical)

In Hostinger panel → Domains → SSL: confirm the cert covers both the apex and www. Hit http://yourdomain.com and confirm it redirects to https://. Once stable, add HSTS in your app’s response headers: Strict-Transport-Security: max-age=31536000; includeSubDomains.

5. Validate forms server-side (Critical)

Client-side validation in the React component is decoration. The attacker POSTs directly to the endpoint. Add a Zod / Joi / Pydantic schema in every handler before touching the DB. The minimum: required fields, max lengths, expected types, allowed values for enums.

6. Audit generated database schema and policies

If Horizons wired in a managed Postgres / MySQL: confirm the application connects with a least-privilege user (not root / admin). If it wired in Supabase: enable RLS on every table and add ownership policies — see the Supabase RLS Checker. If it wired in Firestore: replace any allow read, write: if true; rule.

7. Configure security headers

Add Content-Security-Policy: default-src 'self', X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin. In the Hostinger panel for static sites this lives under Domain → HTTP Headers; for app deploys it goes in your framework config. Verify with the Security Headers Checker.

8. Validate file uploads

If your app accepts uploads: enforce file extension allowlist, MIME type check, and a max size (1MB unless you have a reason). Reject .zip unless you genuinely process zips and have a zip-slip-safe extractor — see file upload zip-slip.

9. Audit third-party scripts

Every <script src="..."> from a domain you don’t own is code execution in your users’ browsers. List them and either self-host (for analytics, fonts) or add integrity="sha384-..." (Subresource Integrity). A compromised CDN script is a compromised app.

10. Configure backups

In Hostinger panel → Backups: enable daily automated backups for the database and the file store. Confirm the restore path actually works once before you need it — back up a record, delete it, restore.

11. Review SEO meta and AI-generated content

The generator may have written <meta> tags from your prompt verbatim. Check that nothing reveals internal naming (admin URLs, internal product names, dev environment hostnames). Also: any AI-generated body text rendered as HTML needs sanitization — see LLM-rendered HTML/Markdown.

12. Audit user role management

If your app has roles (admin, customer, etc.): test with two accounts, one of each role. Confirm the regular user cannot access admin routes by URL. The default Horizons-generated check often hides the admin link in the UI but leaves the route open.

13. Configure error pages

Production errors should return a generic message + request ID, never a stack trace. Wrap your error handler with if (process.env.NODE_ENV === 'production') to switch behaviour. Stack traces leak file paths, ORM versions, and runtime — recon that makes the next attack cheaper.

14. Review email integration

If using Hostinger SMTP for transactional email: confirm SPF and DKIM are configured for your sending domain (otherwise password reset emails go to spam, which means users click whatever phishing email arrives instead). Audit the templates for: links that aren’t on your domain, links that include the user’s session token in the URL.

15. Monitor for platform updates

Hostinger Horizons is iterating fast; defaults change. Subscribe to their changelog, and after any platform-side change, re-run the audit — settings can flip with a release.

16. Run automated security scan

The Vibe Code Scanner covers the deploy-side patterns: source maps, exposed config files, debug routes. The full VibeEval scan adds BOLA, role-escalation, and webhook-trust probes.

Related Resources

Free Self-Audit Suite

Five free scanners covering RLS, leaked keys, headers, BOLA.

Vibe Coding Security Risk Guide

Full risk catalogue for AI-built apps.

Solo Founder Pre-Launch Checklist

12-step checklist before launch.

Automate Your Security Checks

Let VibeEval scan your Hostinger Horizons app for vulnerabilities — every category above plus 305 more probes, with fix prompts ready to paste back into the generator.