Security checks for the framework you actually use
Beyond Lovable and Bolt, real apps ship on Astro, SvelteKit, Nuxt, Remix, and Expo. Each guide focuses on the framework-specific gotchas — not generic web security advice.
Astro
Astro defaults to static output, which dodges many runtime security issues — but headers, CORS, and exposed config files are still your responsibility.
Open guideRemix
Remix gets a lot right by default (cookies, form-based mutations) but misses CSP and rate limiting. Scan your Remix app for the gaps.
Open guideSvelteKit
SvelteKit splits public and private env vars, which catches most secret leaks — but CSP, CORS, and cookie config still need attention.
Open guideNuxt
Nuxt 3 separates public and private runtime config — but you still need to set CSP, allowlist CORS on /api routes, and harden cookies.
Open guideExpo
Expo apps that ship a web target inherit all the JS-bundle security pitfalls. Scan your Expo web URL for leaked secrets and missing headers.
Open guideReact Router
React Router 7 (formerly Remix) gives you loaders and actions on the server — and the same security responsibilities as a full backend.
Open guideStreamlit
Streamlit apps frequently ship to public URLs without auth. Scan to confirm st.secrets is server-only and your deployment has basic security headers.
Open guideGradio
Gradio apps on HuggingFace Spaces are public by default. Scan to confirm your app has basic auth, no leaked secrets, and security headers.
Open guideRetool
Retool resources and queries can leak data through shared app URLs. Scan to verify the app perimeter and audit resource permissions.
Open guide