The Indie SaaS
Security Checklist
7 critical security checks for Next.js and Supabase apps. Ignore these and you might get hacked; follow them and you're ahead of 99% of indie hackers.
1. Stop Committing .env Files
It sounds obvious, but it is the #1 cause of leaks. Add .env to your .gitignore immediately. If you have already committed it, rotating your keys is mandatory—deleting the file from history is not enough.
2. Database Row Level Security (RLS)
If you use Supabase or Firebase, your database is likely public by default. You must write RLS policies (e.g., 'auth.uid() = user_id') to ensure users can only see their own data.
3. Disable Source Maps in Production
Shipping source maps (.js.map) lets anyone view your original unminified code, including comments and potential secrets. Set 'productionBrowserSourceMaps: false' in your config.
4. Verify Webhook Signatures
If you use Stripe or LemonSqueezy, hackers can fake payment events if you don't verify the 'Signature' header. Never trust the request body blindly.
5. Lock Down /admin Routes
Don't just hide the link in your UI. Hackers guess '/admin' instantly. Protect the route with middleware that checks for an 'admin' role, or move it to a completely different subdomain.
6. Security Headers (HSTS & CORS)
Prevent 'Clickjacking' and 'Man-in-the-Middle' attacks. Ensure your server sends 'Strict-Transport-Security' and restricts 'Access-Control-Allow-Origin' to your own domain.
7. Separate Dev & Prod Keys
Never use your Live Stripe keys on localhost. If you accidentally paste a key into a screenshot or screen share, it should be a test key that can be deleted without breaking production.
Too lazy to check manually?
Our automated scanner checks for most of these issues (and 20+ others) in less than 10 seconds.
Scan My App Free