All posts

March 22, 2026 · SafeToShip Team

The Security Checklist Before You Launch

A plain-English checklist of security issues to fix before launching your AI-built app. No jargon, just the things that actually matter for vibe coders shipping on Lovable, Bolt, Cursor, and Replit.

You have built something great. It works, it looks good, and you are ready to share it with the world. Before you do, take five minutes to run through this checklist.

These are the security issues we see most often in AI-built apps, and they are all fixable.

1. Check your database security

If you are using Supabase, make sure Row Level Security is enabled on every table. By default, new tables have RLS disabled, which means anyone with your Supabase URL and anon key can read and write everything.

If you are using Firebase, check your Firestore security rules. The default test-mode rules allow anyone to read and write your entire database. Those rules expire after 30 days, but many apps launch before the expiry.

2. Look for exposed secrets

Open your deployed app and view the page source. Search for anything that looks like an API key. Common patterns to look for:

  • sk- (OpenAI keys)
  • sk_live_ (Stripe secret keys)
  • AKIA (AWS access keys)
  • service_role (Supabase service role keys)

If you find any, move the API call to a server-side route and rotate the key.

3. Check your security headers

Your site should send these HTTP headers with every response:

  • Content-Security-Policy prevents script injection attacks
  • Strict-Transport-Security forces HTTPS connections
  • X-Content-Type-Options: nosniff prevents MIME-type sniffing
  • X-Frame-Options prevents your site from being embedded in iframes

Most AI-generated apps are missing all of these. The fix is usually a few lines in your hosting configuration or middleware.

4. Verify your SSL certificate

If you are on Vercel, Netlify, or a similar platform, your SSL is probably fine. But check that:

  • Your certificate is not expiring in the next 30 days
  • You are using TLS 1.2 or higher
  • HSTS is enabled so browsers always use HTTPS

5. Remove exposed files

Check that these URLs return 404 (not found) on your production site:

  • yoursite.com/.env
  • yoursite.com/.git/HEAD
  • yoursite.com/wp-config.php

If any of these return a 200 response, you have a serious problem. Your environment variables or source code are publicly accessible.

6. Set up email security

If your app sends emails (password resets, notifications, marketing), make sure your domain has:

  • SPF record tells email servers who can send as your domain
  • DMARC record tells receivers what to do with spoofed emails

Without these, attackers can send emails that look like they come from your domain.

The easy way: scan your app

Instead of checking all of this manually, paste your URL into SafeToShip. We run all 10 checks automatically in under 60 seconds.

You get a score out of 10, a grade, and plain-English explanations of every issue found. Upgrade to get AI fix prompts tailored to your specific tech stack.

Scan your app now

Find security issues in 60 seconds. Your first scan is free.