founder-friendly launch review
The GhostCodeAudit Checklist
Fix the most common security issues in AI-built SaaS before attackers find them.
01 / recommended checks
Supabase / Database
Start where private data usually lives.
- Check RLS is enabled on every sensitive table
- Review every policy for overbroad access
- Confirm users can only read their own rows
- Confirm users cannot update protected fields
- Check public tables intentionally expose only public data
- Review service role key handling
- Review database functions and RPC permissions
02 / recommended checks
Auth & Sessions
Verify identity and roles on the server side.
- Confirm protected routes enforce server-side checks
- Confirm admin routes require admin role verification
- Test role escalation attempts
- Review password reset and magic link flows
- Confirm session expiry behavior
- Check auth callbacks and redirects
03 / recommended checks
APIs & Endpoints
Test what happens when someone skips the UI.
- List all public endpoints
- Check every endpoint verifies user permissions
- Test direct API calls outside the UI
- Check rate limiting on sensitive routes
- Check whether IDs can be enumerated
- Review error messages for data leakage
04 / recommended checks
Storage & Files
Make sure private uploads stay private.
- Check bucket privacy settings
- Confirm private files require signed URLs or access checks
- Test whether user A can access user B files
- Review upload restrictions
- Check file metadata exposure
05 / recommended checks
Webhooks & Payments
Treat money movement as a server-side trust boundary.
- Verify webhook signatures
- Check replay protection
- Confirm payment status cannot be spoofed client-side
- Review subscription/cancellation logic
- Confirm admin/payment events are logged safely
06 / recommended checks
Secrets & Environment Variables
Limit what keys can do, and where they can appear.
- Check no secrets are committed to GitHub
- Check frontend variables do not expose private keys
- Rotate exposed keys
- Review third-party API key permissions
- Use least-privilege keys where possible
07 / recommended checks
Business Logic
Review the rules that make your SaaS your SaaS.
- Test what happens if users skip UI steps
- Test direct route access
- Test editing IDs in requests
- Test privilege boundaries
- Test free vs paid access boundaries
- Test admin/customer/creator role separation
08 / recommended checks
Launch Readiness
Prepare for production reality before traffic scales.
- Backup strategy exists
- Logging exists
- Error monitoring exists
- Incident contact exists
- Security owner is defined
- Critical flows have been manually reviewed
expert verification
Want GhostCode to review this for you?
This checklist helps you fix the obvious basics. A GhostCode review goes deeper into your actual attack paths, permission model, data flows, and business logic.