founder-friendly launch review

The GhostCodeAudit Checklist

Fix the most common security issues in AI-built SaaS before attackers find them.

01 / recommended checks

Supabase / Database

Start where private data usually lives.

  • Check RLS is enabled on every sensitive table
  • Review every policy for overbroad access
  • Confirm users can only read their own rows
  • Confirm users cannot update protected fields
  • Check public tables intentionally expose only public data
  • Review service role key handling
  • Review database functions and RPC permissions
02 / recommended checks

Auth & Sessions

Verify identity and roles on the server side.

  • Confirm protected routes enforce server-side checks
  • Confirm admin routes require admin role verification
  • Test role escalation attempts
  • Review password reset and magic link flows
  • Confirm session expiry behavior
  • Check auth callbacks and redirects
03 / recommended checks

APIs & Endpoints

Test what happens when someone skips the UI.

  • List all public endpoints
  • Check every endpoint verifies user permissions
  • Test direct API calls outside the UI
  • Check rate limiting on sensitive routes
  • Check whether IDs can be enumerated
  • Review error messages for data leakage
04 / recommended checks

Storage & Files

Make sure private uploads stay private.

  • Check bucket privacy settings
  • Confirm private files require signed URLs or access checks
  • Test whether user A can access user B files
  • Review upload restrictions
  • Check file metadata exposure
05 / recommended checks

Webhooks & Payments

Treat money movement as a server-side trust boundary.

  • Verify webhook signatures
  • Check replay protection
  • Confirm payment status cannot be spoofed client-side
  • Review subscription/cancellation logic
  • Confirm admin/payment events are logged safely
06 / recommended checks

Secrets & Environment Variables

Limit what keys can do, and where they can appear.

  • Check no secrets are committed to GitHub
  • Check frontend variables do not expose private keys
  • Rotate exposed keys
  • Review third-party API key permissions
  • Use least-privilege keys where possible
07 / recommended checks

Business Logic

Review the rules that make your SaaS your SaaS.

  • Test what happens if users skip UI steps
  • Test direct route access
  • Test editing IDs in requests
  • Test privilege boundaries
  • Test free vs paid access boundaries
  • Test admin/customer/creator role separation
08 / recommended checks

Launch Readiness

Prepare for production reality before traffic scales.

  • Backup strategy exists
  • Logging exists
  • Error monitoring exists
  • Incident contact exists
  • Security owner is defined
  • Critical flows have been manually reviewed
expert verification

Want GhostCode to review this for you?

This checklist helps you fix the obvious basics. A GhostCode review goes deeper into your actual attack paths, permission model, data flows, and business logic.