Claude Code pre-launch security checklist
Claude Code is increasingly the AI behind serious side projects, but a long session can drift away from security defaults set early. These twelve checks are tied to scanner findings — paste the prompt at the bottom into Claude Code and let it audit its own work.
12 checks
Tick through each one
Click any item to open the detailed fix guide. The detector tag shows which scanner module flips the state pass or fail when you run a SafeToShip scan.
No third-party API keys in client code
CriticalDetector: js-secrets
.env not deployed
CriticalDetector: exposed-files
.git not exposed
CriticalDetector: exposed-files
CSP header set
HighDetector: headers
HSTS configured
HighDetector: headers
X-Frame-Options or frame-ancestors set
HighDetector: headers
X-Content-Type-Options: nosniff
MediumDetector: headers
CORS allowlist not wildcard
HighDetector: cors
Cookies Secure + HttpOnly + SameSite
HighDetector: cookies
Valid TLS
HighDetector: ssl
Auth verified on every protected server route
HighDetector: tech-detect
Rate limiting on auth and write endpoints
MediumDetector: rate-limit
Paste this into claude
One prompt that runs the entire checklist as a code review pass.
Audit the codebase you wrote against this 12-point security checklist: (1) no API keys in client code, (2) .env not deployed, (3) .git not deployed, (4) CSP, HSTS, X-Frame-Options, X-Content-Type-Options headers all set, (5) CORS allowlist explicit origins, (6) cookies Secure+HttpOnly+SameSite, (7) TLS valid, (8) every protected server route runs an auth check, (9) rate limiting on auth + write endpoints. For each item, report PASS/FAIL with the file path of any failure, then propose fixes.FAQ
Frequently asked questions
- Will Claude Code refuse to write insecure code?
- Claude tends to follow security best practices when prompted, but if your codebase already has insecure patterns (NEXT_PUBLIC_ secrets, wildcard CORS), it will follow your patterns. Establish secure defaults early and reference them in subsequent prompts.
Per-issue depth
Fix guides for this checklist
Hardcoded API key in JS
Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.
Read moreMissing CSP header
A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.
Read moreCORS allows all origins
An Access-Control-Allow-Origin: * policy lets any site call your API. Sometimes that is fine, often it is a mistake. Here is how to decide and fix it.
Read moreRun the scan to confirm each check
60 seconds. Free. No account required.