The Web Security Checklist Every Indie Hacker Needs
15 checks that block 90% of automated attacks. Print it, tape it next to your monitor, and run through it before every deploy.
Why Indie Hackers Skip Security
You shipped your SaaS in a weekend. Users are signing up. Stripe payments are flowing. Life is good. But somewhere between your MVP launch and your 100th customer, you skipped something important: security.
Most indie hackers treat security the same way they treat unit tests. They know it matters, they plan to get to it eventually, and they never do. The reasoning is always the same: "I'm too small to be a target." That thinking is a ticking bomb. Automated bots don't care about your ARR. They scan every domain on the internet, looking for exposed .env files, missing headers, and default configurations. Your tiny SaaS is just as scannable as a Fortune 500 company.
A single breach can destroy months of work overnight. Customer data leaked, trust gone, and your inbox full of angry emails. The fix is simple: run through this web security checklist before your next deploy.
The Web Security Checklist (15 Items)
Think of these startup security basics as the minimum viable security for any web app. Not a hardened enterprise setup, just the things that stop you from being low-hanging fruit.
SSL / TLS
Valid SSL certificate- Every page on your site must be served over HTTPS with a valid, non-expired certificate. If you're on Vercel or Netlify, this is automatic. If you're self-hosting, use Let's Encrypt.
HTTP to HTTPS redirect - Anyone hitting your site over plain HTTP should be automatically redirected to HTTPS. Without this, users can accidentally load the insecure version and have their data intercepted.
HSTS header enabled - The Strict-Transport-Security header tells browsers to only connect over HTTPS. Set max-age=31536000; includeSubDomains at minimum.
SECURITY HEADERS
Content Security Policy (CSP) - CSP controls which scripts, styles, and resources can load on your pages. Without it, an attacker who finds an XSS vulnerability can inject any script they want.
X-Frame-Options - Set this to DENY or SAMEORIGIN to prevent your site from being embedded in an iframe. This blocks clickjacking attacks.
X-Content-Type-Options - Set to nosniff. This prevents browsers from guessing the MIME type of a response, which stops a category of attacks where an attacker tricks the browser into executing a file as JavaScript.
PRO TIP
In Next.js, you can set all security headers in your middleware.ts file. One config block protects every route.
SECRETS MANAGEMENT
No .env file exposed publicly - Your .env file contains database passwords, API keys, and service tokens. If it's accessible at yoursite.com/.env, anyone can read it. Bots actively scan for this.
No API keys in frontend code - If a key starts with sk_or is labeled "secret," it does not belong in your browser bundle. Only public/anon keys should be exposed client-side.
Rotate keys regularly- If a key leaks and you've been using the same one for two years, the blast radius is enormous. Rotate your API keys and database passwords every 90 days.
AUTHENTICATION
Rate limit login attempts - Without rate limiting, an attacker can try thousands of password combinations per minute. Add a limit of 5-10 attempts per IP per minute on your login and signup endpoints.
Secure session handling- Use HttpOnly, Secure, and SameSite flags on session cookies. Never store session tokens in localStorage. If you're using Supabase Auth, these are handled for you, but verify the defaults.
Offer MFA to users- Multi-factor authentication is no longer a nice-to-have. Even if you don't enforce it, give your users the option. Supabase Auth supports TOTP-based MFA out of the box.
DATABASE
Use parameterized queries - Never concatenate user input into SQL strings. Always use parameterized queries or an ORM like Prisma. SQL injection is one of the oldest attacks in the book, and it still works on apps built last week.
Enable Row Level Security (RLS)- If you're using Supabase, RLS is not optional. Without it, any authenticated user can read and modify every row in your tables. Every single table needs a policy that scopes access to the authenticated user's own data.
Regular database backups- Supabase runs daily backups on paid plans. If you're on the free tier or self-hosting, set up automated backups yourself. Test your restore process at least once. A backup you've never tested is not a real backup.
PRO TIP
Print this web security checklist and tape it next to your monitor. Run through it before every major deploy. It takes 10 minutes and can save you from a very bad day.
How to Automate This Checklist
Going through 15 items manually gets old fast. You'll do it once, maybe twice, and then stop. The solution is to automate the entire thing.
UNPWNED scans your site for all 15 items on this checklist and more. It checks your SSL configuration, verifies every security header, looks for exposed secrets, tests your authentication endpoints, and flags misconfigurations in real time. You get a full security report in under 60 seconds.
Instead of remembering to run through this list manually, you can schedule recurring scans. UNPWNED will alert you the moment something breaks. A new deploy accidentally removed your CSP header? You'll know within minutes, not months.
Stop Shipping Vulnerable Code
You don't need to become a security expert. You just need to cover the basics. This web security checklist gives you the startup security basics that block 90% of automated attacks.
Every item on this list is something UNPWNED checks automatically. Run your first scan right now. It's free, takes less than a minute, and you might be surprised by what it finds.
No signup required. Get your security report in 60 seconds.