GUIDE / PRE-LAUNCH CHECKLIST

SOLO FOUNDER PRE-LAUNCH SECURITY CHECKLIST

Twelve checks. None require a security background. None take more than 15 minutes. Run them in order before you accept your first paying user — every one of them maps to a real failure mode we see weekly across Lovable, Bolt, Cursor, Replit, and V0.

You are launching a small app with paying users. You do not have a security team. You have used Lovable, Bolt, Cursor, Replit, or V0, and you are wondering whether the working app you have is also a safe app to give to strangers.

The answer is almost always no, by default. The cause is almost always one of the twelve items below. The fix for every item is in the linked guide.

Run them in order. The first three catch what loses every user’s data; the last nine catch the things that escalate.

The checklist

1. Authorization at the database level (RLS / Firebase rules)

The single biggest source of leaked data in AI-built apps. If you are on Supabase, every public table needs Row Level Security with a policy that actually restricts access. If you are on Firebase, your firestore.rules file must not allow read, write: if true.

How to check. Use the Supabase RLS Checker for Supabase, or the Firebase Scanner for Firebase. Both query your live backend with the public key and report which collections respond.

Why this matters first. Without this, every other check is moot — your data is already public.

2. Secret keys not shipped to the browser

The Stripe secret key, the Supabase service-role key, the OpenAI key, the AWS access key — none of these belong in your frontend bundle. Anyone with browser DevTools can read them.

How to check. Run the Token Leak Checker — it loads your URL and runs 100+ key signatures against everything the browser fetched.

Why this matters second. A leaked secret key is more expensive than leaked data — it gives an attacker direct billable access to your provider account.

3. One user cannot read another user’s resources (BOLA)

Make two test accounts. Log in as user A, copy a resource URL (an invoice, a project, a profile). Log in as user B, paste the URL.

How to check. Manual test as described, or run the full VibeEval scan which enumerates BOLA across roles automatically. Detailed walk-through in the Lovable builder checklist.

Why this matters third. AI-generated CRUD endpoints filter by ID without checking ownership in 32% of apps we scan.

4. Role and permission fields not self-editable

If your app has an is_admin, role, or permissions field, attempt to set it on yourself by editing a profile-update request. Common AI-generated patterns accept arbitrary fields on update.

How to check. Open DevTools, find the profile update request, edit the body to include "role": "admin", replay, refresh.

Why this matters. This is privilege escalation — turns one compromised account into an admin compromise.

5. Auth callback URLs locked down

If you use Supabase Auth, third-party OAuth, or magic links, the redirect URL allow-list must contain only your real domains. Wildcards or bare localhost in production lead to open-redirect token theft.

How to check. Supabase: Authentication > URL Configuration. Firebase Auth: Authentication > Settings > Authorized domains.

6. CORS not allow-all on credentialed endpoints

If your API responds with Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true, any malicious site can make requests as your logged-in users.

How to check. Use the Security Headers Checker — it inspects CORS along with CSP, HSTS, and X-Frame-Options.

7. Rate limits on auth and write endpoints

Login should not accept 1,000 attempts per minute. Signup should not accept 1,000 accounts per minute. Password reset should not flood any inbox.

How to check. Try logging in 100 times in a row with a script. If it works, you have no rate limit. Most managed auth services (Supabase Auth, Firebase Auth, Auth0) have rate limits in the dashboard — make sure they are turned on.

8. Dependencies up to date and not invented

AI generators occasionally invent npm package names that attackers register. Real packages also accumulate CVEs over time.

How to check. Run npm audit for an immediate gate. For ongoing protection, use Snyk Open Source (free for small projects) or Socket — Socket is uniquely good at catching hallucinated and typo-squatted packages.

9. Verbose errors disabled in production

Stack traces, ORM errors, and internal hostnames in error responses give attackers a map of your stack. Disable verbose errors before launch.

How to check. Trigger an error path (post bad JSON to an endpoint, request a missing route) and confirm the response is generic.

10. HTTPS-only with HSTS

HTTPS is on by default with most managed hosts (Vercel, Netlify, Lovable’s deployer, Bolt). HSTS is not. Without HSTS, a single missed-HTTPS click leaks the session cookie.

How to check. Use the Security Headers Checker — it reports HSTS, including max-age and includeSubDomains.

11. File uploads validated

If your app accepts file uploads — profile photos, attachments, imports — validate type, size, and storage location server-side. Default storage in Supabase or Firebase is usually public unless you scoped it.

How to check. Try uploading a .html file with <script>alert(1)</script> and a .svg file with embedded JS. If either is served back to other users, you have stored XSS. Try uploading a 1GB file. If it accepts, you have no size limit.

12. Logs do not contain user secrets

Search your application logs for Bearer , password fields, raw card numbers (PAN), and email addresses associated with sessions. AI-generated middleware frequently logs full request bodies, which then ship to whatever log aggregator you set up — and from there to anyone who breaches that aggregator.

How to check. Read 100 random log lines. If you see anything that looks like a credential or a request body, scrub it before launch.

After the checklist

Run the free VibeEval scan to verify everything above plus the long-tail probes (SSRF, IDOR variants, LLM prompt injection if you have a chat surface, dependency CVEs against runtime).

Save the scan output. When a B2B customer eventually asks for a security questionnaire, the dated report is your shortest-path answer.

/ FAQ

COMMON QUESTIONS

01
Is this checklist enough for launch?
It is enough for a small B2C MVP with no regulated data. If you are processing payments, holding health information, or handling children's data, layer this checklist with a human review. If you are running B2B with enterprise customers, expect a security questionnaire that asks for evidence beyond what this list produces.
Q&A
02
What is the difference between this checklist and a Lovable-specific or Bolt-specific one?
This list is stack-agnostic — every item applies regardless of the AI builder you used. Platform-specific checklists drill into config screens unique to that platform. Use this list first to confirm coverage; use the platform-specific list to find the exact toggle to flip.
Q&A
03
Where can I get help if I find something I do not understand?
Each item links to a dedicated guide or scanner that explains how to verify and fix it. The free scanners on this site cover the four highest-impact items. For everything else, the linked guide includes the actual command, dashboard path, or code snippet.
Q&A
04
Should I do this myself or hire someone?
If you can do these twelve items yourself in under three hours total, you do not need a paid pentest yet. If any item is unclear after reading the linked guide, that is the signal to bring in help — but bring in someone who has worked with your specific stack, not just a generic AppSec consultant.
Q&A
05
Do I need to redo the checklist for every release?
Yes for items 1, 2, 3, and 8 — these tend to regress when new features are added. Items 4 through 7 and 9 through 12 are usually one-time setup checks. Automated scanning is the cheap way to catch regression on the four high-churn items.
Q&A
/ NEXT STEP

VERIFY THE CHECKLIST

VibeEval runs every check above plus 295 more, against your live URL, in under 60 seconds.

RUN PRE-LAUNCH SCAN