From Prototype to Production: Security Checklist for AI-Built Apps

You've built something that works. Users are interested. Now it's time to transition from "demo" to "product." This checklist covers everything you need to secure an AI-generated application for production.

1.1 Secrets Inventory

Find all secrets in your codebase:

grep -rn "api_key\
secret\
password\
token" --include="*.ts" --include="*.js" --include="*.env*" .

For each secret found:

• Moved to environment variables
• Removed from git history (if ever committed)
• Added to .gitignore
• Configured in production environment
• Rotated if potentially exposed

1.2 Dependency Audit

Check for vulnerable dependencies:

npm audit

Fix or mitigate:

• All critical vulnerabilities resolved
• All high vulnerabilities resolved
• Medium vulnerabilities reviewed
• Lock file committed
• Automated update system configured (Dependabot/Renovate)

1.3 Security Scan

Run comprehensive vulnerability scan:

• SQL injection check passed
• XSS vulnerabilities addressed
• Authentication flows verified
• Authorization checks confirmed
• OWASP Top 10 coverage complete

2.1 Password Security

• Passwords hashed with bcrypt/argon2 (cost factor ≥12)
• Password requirements enforced (minimum 8 chars, complexity)
• No password hints or security questions
• Secure password reset flow with expiring tokens

2.2 Session Management

• Session tokens are cryptographically random
• Sessions expire after inactivity
• Session regenerated on login/logout
• HttpOnly flag set on session cookies
• Secure flag set on session cookies
• SameSite attribute configured

2.3 Rate Limiting

• Login endpoint rate limited (5 attempts per minute)
• Password reset rate limited
• API endpoints rate limited appropriately
• Account lockout after repeated failures

2.4 Multi-Factor Authentication (Optional but Recommended)

• TOTP support implemented
• Backup codes available
• MFA bypass procedures documented

3.1 Access Control Audit

For every endpoint in your application:

3.2 Common Authorization Failures

• No IDOR vulnerabilities (users can't access others' data)
• No privilege escalation paths
• Admin functions require admin role (not just admin flag in request)
• Deleted users can't access anything

4.1 Database Security

• All queries parameterized
• Database user has minimal privileges
• Row Level Security enabled (if using Supabase/PostgreSQL)
• Sensitive data encrypted at rest
• Backups encrypted and secure

4.2 Data in Transit

• HTTPS enforced everywhere
• HSTS header configured
• TLS 1.2+ required
• No mixed content warnings

4.3 PII Handling

• Personal data minimized
• Data retention policy defined
• User data deletion available
• Data export available (GDPR compliance)

5.1 Deployment Configuration

Vercel:

• Environment variables set (not in code)
• Preview deployments protected
• Domain properly configured
• Edge functions secured

• Secrets in platform secret manager
• Production environment isolated
• Deployment pipeline secured

5.2 Security Headers

// next.config.js
const securityHeaders = [
  {
    key: 'X-Content-Type-Options',
    value: 'nosniff'
  },
  {
    key: 'X-Frame-Options',
    value: 'DENY'
  },
  {
    key: 'X-XSS-Protection',
    value: '1; mode=block'
  },
  {
    key: 'Referrer-Policy',
    value: 'strict-origin-when-cross-origin'
  },
  {
    key: 'Content-Security-Policy',
    value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
  },
  {
    key: 'Strict-Transport-Security',
    value: 'max-age=31536000; includeSubDomains'
  }
]

• All security headers configured
• CSP tested and working
• CORS restricted to known origins

5.3 Monitoring & Logging

• Error tracking configured (Sentry, etc.)
• Security events logged
• Alerts configured for anomalies
• Log retention policy defined
• Logs don't contain sensitive data

6.1 API Security

For each external API:

• API keys stored securely
• Minimal permissions configured
• Rate limits understood
• Webhook signatures verified

6.2 OAuth/Social Login

• Redirect URIs restricted
• State parameter validated
• Token storage secure
• Scopes minimized

6.3 Payment Integration

• Webhook signatures verified
• Prices set server-side
• PCI compliance understood
• Refund process documented

7.1 Security Testing

• SQL injection tested on all inputs
• XSS tested on all outputs
• Authentication bypass attempted
• Authorization bypass attempted
• File upload limits tested
• Rate limits verified

7.2 Load Testing

• Application handles expected load
• Rate limits function under load
• Database performs under load

7.3 Recovery Testing

• Backup restoration tested
• Disaster recovery plan documented
• Incident response plan defined

Final Pre-Launch

• All critical/high vulnerabilities fixed
• Security scan passes
• Secrets rotated from development
• Production environment variables set
• Domain and SSL configured
• Monitoring active
• Team knows incident response

Post-Launch

• Monitor for errors
• Watch for unusual activity
• Schedule regular security scans
• Plan for ongoing updates

Production isn't just "it works." It's "it works safely under attack." This checklist covers the fundamentals. Use it, check every box, and ship with confidence.