Leave Localhost logoLeave LocalhostDocs
Security

Security Checklist

A pre-launch security checklist for the starter: secrets, auth, admin access, billing webhooks, rate limits, and the audit log.

Walk this list before exposing the app to real users. It assumes the defaults shipped by the starter and points at the page that explains each item.

Secrets and environment

  • BETTER_AUTH_SECRET is a unique, random 32+ character value — not the placeholder. It is also the pepper for verification-code hashing.
  • Backend secrets live in the Convex deployment, not in client env files. Only NEXT_PUBLIC_* values reach the browser. See Environment Variables.
  • bun check-env passes for every workspace (run bun run build, which gates on it). See Setup Doctor.
  • No real secrets are committed; .env* files are git-ignored.

Authentication

  • OAuth redirect URIs point at your production Convex site URL.
  • SITE_URL / NEXT_PUBLIC_APP_URL are your production domains so auth callbacks and email links resolve correctly.
  • You have decided which providers to keep and removed the rest. See Removing Authentication Providers.
  • Two-factor is configured the way you want it. See Multi-Factor Authentication.

Authorization and admin

  • SUPER_ADMIN_EMAILS contains only the platform operators who should reach /admin. Blank disables the panel entirely.
  • SUPER_ADMIN_REQUIRE_2FA is left at its default (true) in production.
  • Workspace roles and capabilities match your product. See Roles and Permissions.

Dangerous actions

Billing

  • Provider webhook secrets are set and the webhook URL is registered. See Webhooks.
  • You are using live keys (not sandbox/test) for production.

Observability and audit

  • Sentry is configured if you want error reporting.
  • You understand what the Audit Log records and have added a retention strategy if you need one.

Before launch

  • Complete Delete Before Launch to remove demo surfaces, placeholder copy, and example business rules.

On this page