Security hardening

Verify Row Level Security is enabled on every table (Supabase)

Your Supabase URL and anon key ship in the client bundle by design — that's normal. The thing actually protecting your data is Row Level Security (RLS): database-level policies that scope every query to the authenticated user. No RLS means anyone who knows your Supabase URL can query every row in every table.

In our scan of 100 vibe-coded apps, 68% of Supabase apps had missing or broken RLS. Without it, anyone who knows your Supabase URL can query your database directly and read everything.

-- In your Supabase dashboard → SQL Editor → run:
SELECT tablename, rowsecurity
FROM pg_tables
WHERE schemaname = 'public';

-- Every row where rowsecurity = false is a wide-open table.

-- Fix: enable RLS and add a policy scoped to the authenticated user
ALTER TABLE your_table ENABLE ROW LEVEL SECURITY;

CREATE POLICY "Users read own rows" ON your_table
  FOR SELECT USING (auth.uid() = user_id);

Check Firebase Security Rules

If you're on Firebase, open the Firebase Console → Firestore → Rules. If you see `allow read, write: if true` — your database is public.

// ❌ This means your database is wide open:
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

// ✅ Fix: require authentication
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth != null
                         && request.auth.uid == userId;
    }
  }
}

Verify Stripe payment notifications are authentic

Stripe sends your app a webhook when a payment completes. Your handler must verify the Stripe-Signature header before trusting the payload — otherwise anyone can POST a fake "payment successful" event and unlock paid features for free. Run the test below: if your server accepts an unsigned event, it's unprotected.

# Send a fake Stripe event — this SHOULD be rejected
curl -X POST https://yourapp.com/api/webhooks/stripe \
  -H "Content-Type: application/json" \
  -d '{"type":"checkout.session.completed","data":{"object":{"id":"cs_fake"}}}'

# If your server returns 200 → your webhook is unprotected

# Fix: verify the signature
import Stripe from 'stripe';
const event = stripe.webhooks.constructEvent(
  body,
  request.headers['stripe-signature'],
  process.env.STRIPE_WEBHOOK_SECRET // server-side only
);

Add security headers

Check your current headers with the curl command below. If nothing comes back, add the four essential headers in your hosting config.

# Check current headers
curl -sI https://yourapp.com | grep -iE \
  'x-frame|content-type-options|strict-transport|content-security'

# Add these in vercel.json, _headers (Netlify), or next.config.js:
# X-Frame-Options: DENY                          → prevents clickjacking
# X-Content-Type-Options: nosniff                → prevents MIME sniffing
# Strict-Transport-Security: max-age=31536000    → forces HTTPS
# Referrer-Policy: strict-origin-when-cross-origin → prevents URL leakage

Lock down cross-origin access (CORS)

CORS decides which origins can call your API from the browser. AI defaults to the wildcard (`*`) because it makes local dev painless — and ships straight to production. For anything behind a login, restrict it to your own domain.

# Check your CORS headers:
curl -sI -H "Origin: https://evil.com" https://yourapp.com/api/users | grep -i access-control

# If you see Access-Control-Allow-Origin: * → fix it
# Only allow your real domains:
# Access-Control-Allow-Origin: https://yourapp.com