Back to Blog
Security
9 min read

The Security Checklist Every Web App Needs

Security isn't optional anymore. Here's our pre-launch security audit checklist for production applications.

The Security Checklist Every Web App Needs

Security breaches don't happen because of sophisticated attacks—they happen because of basic mistakes. This is our checklist for every production deployment.

Authentication & Authorization

  • [ ] Passwords are hashed with bcrypt/argon2 (never stored in plaintext)
  • [ ] Password reset tokens expire after 1 hour
  • [ ] Session tokens are httpOnly and secure
  • [ ] Failed login attempts are rate-limited
  • [ ] All admin actions require re-authentication
  • [ ] API endpoints validate user permissions, not just authentication

Data Protection

  • [ ] All traffic uses HTTPS (HTTP redirects to HTTPS)
  • [ ] Sensitive data is encrypted at rest
  • [ ] Database backups are encrypted
  • [ ] Environment variables are never committed to git
  • [ ] API keys can be rotated without downtime
  • [ ] PII is segregated and access-logged

Input Validation

  • [ ] All user input is validated server-side
  • [ ] SQL queries use parameterized statements
  • [ ] File uploads are validated by type and size
  • [ ] User-generated content is sanitized before display
  • [ ] CORS is configured (not set to *)

Infrastructure

  • [ ] Servers are behind a firewall
  • [ ] Database is not publicly accessible
  • [ ] Dependencies are scanned for vulnerabilities
  • [ ] Error messages don't leak system information
  • [ ] Logging captures security events
  • [ ] Monitoring alerts on suspicious patterns

Compliance

  • [ ] Privacy policy is clear and accessible
  • [ ] Users can export their data
  • [ ] Users can delete their accounts
  • [ ] Third-party services are documented
  • [ ] Data retention policies are defined

The 24-Hour Response Plan

Hope for the best, plan for the worst. Before you launch:

  1. Document how to revoke compromised credentials
  2. Set up incident response communication channels
  3. Test your backup restoration process
  4. Know who to contact if you detect a breach

The Business Case for Security

Security isn't just about preventing breaches—it's about enabling trust. Enterprise customers won't sign contracts without security audits. Investors won't fund companies with security gaps. Security is a feature, not a cost center.

Share this article

Let's Build Your Next Project

Work with engineers who understand both the technical and business sides of software.

Start a Conversation