Security
Security Checklist
A pre-launch security checklist for the starter: secrets, auth, admin access, billing webhooks, rate limits, and the audit log.
Walk this list before exposing the app to real users. It assumes the defaults shipped by the starter and points at the page that explains each item.
Secrets and environment
-
BETTER_AUTH_SECRETis a unique, random 32+ character value — not the placeholder. It is also the pepper for verification-code hashing. - Backend secrets live in the Convex deployment, not in client env files.
Only
NEXT_PUBLIC_*values reach the browser. See Environment Variables. -
bun check-envpasses for every workspace (runbun run build, which gates on it). See Setup Doctor. - No real secrets are committed;
.env*files are git-ignored.
Authentication
- OAuth redirect URIs point at your production Convex site URL.
-
SITE_URL/NEXT_PUBLIC_APP_URLare your production domains so auth callbacks and email links resolve correctly. - You have decided which providers to keep and removed the rest. See Removing Authentication Providers.
- Two-factor is configured the way you want it. See Multi-Factor Authentication.
Authorization and admin
-
SUPER_ADMIN_EMAILScontains only the platform operators who should reach/admin. Blank disables the panel entirely. -
SUPER_ADMIN_REQUIRE_2FAis left at its default (true) in production. - Workspace roles and capabilities match your product. See Roles and Permissions.
Dangerous actions
- Destructive actions are wrapped with step-up verification. See Sensitive Action Protection.
- Rate Limiting is tuned for your traffic (verification emails, password attempts, uploads).
Billing
- Provider webhook secrets are set and the webhook URL is registered. See Webhooks.
- You are using live keys (not sandbox/test) for production.
Observability and audit
- Sentry is configured if you want error reporting.
- You understand what the Audit Log records and have added a retention strategy if you need one.
Before launch
- Complete Delete Before Launch to remove demo surfaces, placeholder copy, and example business rules.
Overview
How the starter protects user accounts and dangerous actions after login: sensitive-action step-up, an audit log, rate limiting, and a server-side super-admin boundary.
Sensitive Action Protection
Step-up verification for dangerous actions after login, enforced server-side in Convex and built on Better Auth. Works for every account type, including OAuth and magic-link users.