AI Security · · 6 min read

The Solopreneur's Security Checklist: 10 Things to Check Before You Launch

solopreneur security checklist launch prep

A 10-item security checklist for solopreneurs and indie hackers launching web apps. Covers HTTPS, password hashing, API key storage, rate limiting, input validation, CORS, backups, dependency scanning, admin access and error handling. Each check includes what to look for and how to fix it.

Before You Hit Launch

You have been building for weeks. The features work. The landing page looks great. You are ready to share it with the world.

Hold on. Run through these 10 checks first. Each one takes a few minutes. Together they catch the most common security problems we see in solo-built apps.

This is not a complete security audit. But it is the bare minimum before you put real users on your app.

1. HTTPS Everywhere

What to check: Visit every page of your app. Does the browser show a padlock? Try accessing your site with http:// instead of https://. Does it redirect automatically?

How to fix it: Most hosting platforms handle this for you. On Vercel, Netlify and Railway, HTTPS is on by default. If you are on a VPS, use Let's Encrypt with Certbot. It is free and takes five minutes. Force HTTPS redirects in your server config.

2. Password Hashing

What to check: Look at your database. Can you read any user's password in plain text? If yes, stop everything and fix this now.

How to fix it: Use bcrypt, scrypt or Argon2. Never use MD5 or SHA-256 alone for passwords. Every modern framework has a built-in password hashing library. In Node.js, use bcrypt. In Python, use passlib. In PHP, use password_hash(). This is non-negotiable.

3. API Keys Out of Client Code

What to check: Open your browser's developer tools. Go to the Sources tab. Search for any API keys, secret keys or tokens. Check your JavaScript bundle. Check your HTML source.

How to fix it: Move all secrets to environment variables on the server side. Never put Stripe secret keys, database credentials or API tokens in client-side code. Use .env files locally and your hosting platform's environment variable settings in production. Add .env to your .gitignore.

4. Rate Limiting

What to check: Try submitting your login form 100 times in a row. Try hitting your API endpoint 1,000 times in a minute. Does anything stop you?

How to fix it: Add rate limiting to your login endpoint, signup endpoint and any API routes. In Express, use express-rate-limit. In Next.js, use middleware. Most cloud providers also offer rate limiting at the edge. Start with 10 login attempts per minute per IP.

5. Input Validation

What to check: Go to every form on your app. Type <script>alert('xss')</script> into each field. Type a single quote ' into search fields. See what happens.

How to fix it: Validate and sanitize all user input on the server side. Client-side validation is nice for UX but does nothing for security. Use parameterized queries for database operations. Never concatenate user input into SQL strings. Use a library like DOMPurify if you display user-generated content.

6. CORS Configuration

What to check: Is your API set to Access-Control-Allow-Origin: *? That means any website on the internet can make requests to your API on behalf of your logged-in users.

How to fix it: Set CORS to allow only your own domain. If your frontend is at app.example.com, your API should only accept requests from app.example.com. Never use wildcard origins in production.

7. Backups

What to check: When was your last database backup? Can you restore it? Have you ever tested a restore?

How to fix it: Set up automated daily backups. Most managed databases (Supabase, PlanetScale, Railway) include this. If you are self-hosting, use pg_dump or mysqldump on a cron job. Store backups in a separate location from your database. Test a restore at least once.

8. Dependency Scanning

What to check: Run npm audit or pip audit or bundler-audit on your project. How many known vulnerabilities are in your dependencies?

How to fix it: Update dependencies with known critical vulnerabilities. You do not need to fix every low-severity warning, but anything marked critical or high should be addressed before launch. Run these checks weekly.

9. Admin Access

What to check: Is your admin panel accessible at /admin? Does it require authentication? Can a regular user access admin routes by changing the URL?

How to fix it: Protect admin routes with proper authorization checks on the server side. Do not just hide the admin link in the UI. Check the user's role on every admin API request. Consider putting your admin panel on a separate subdomain or behind a VPN.

10. Error Handling

What to check: Trigger an error on your app. Does the error message show a stack trace, database query or file path? These details help attackers understand your system.

How to fix it: Show generic error messages to users. Log detailed errors on the server. Never expose stack traces, SQL queries or internal paths in production. Most frameworks have a "production mode" that handles this automatically. Make sure it is enabled.

Passed All 10?

Great. You are ahead of 90% of solo-built apps we see.

But this checklist covers 10 things. A professional security audit checks for roughly 200. It tests business logic, authorization chains, session management, payment flow abuse and dozens of attack vectors that no checklist can cover.

If your app handles real user data or real payments, the Quick Audit from Sherlock Forensics covers your entire app for $1,500 CAD. Five-day turnaround. Plain English report.

Not ready for an audit? Try our free hack tool to scan your site in 30 seconds. Or grab the full security checklist for more detailed checks.