Freelancer Handoff Security Checklist: 18-Item Guide

TL;DR

When a freelancer finishes, immediately revoke their access to all systems, rotate any credentials they touched, audit the code for security issues and backdoors, and verify you have all source code and documentation. 5 critical items must be done immediately, 9 important items within 48 hours, and 4 recommended items for complete security. Trust, but verify.

Quick Checklist (5 Critical Items)

Remove from GitHub/GitLab repositoryRevoke collaborator access and consider rotating deploy keys

Revoke access to hosting platformsRemove from Vercel, Netlify, Railway, AWS, or any deployment platforms

Remove from database accessRevoke Supabase, Firebase, or database admin access

Rotate all shared API keysGenerate new keys for any services where you shared credentials

Search for hardcoded credentialsCheck for API keys, passwords, or tokens hardcoded in the codebase

Immediate Access Revocation 5

Remove from GitHub/GitLab repositoryRevoke collaborator access. If they had write access to the repo, consider rotating deploy keys. How to revoke GitHub access

Revoke access to hosting platformsRemove from Vercel, Netlify, Railway, AWS, or any deployment platforms they had access to. How to revoke hosting access

Remove from database accessRevoke Supabase, Firebase, or database admin access. Delete any database users created for them. How to revoke database access

Remove from third-party servicesRevoke access to Stripe dashboard, analytics, email services, and any other tools they used. How to revoke third-party access

Remove from communication channelsRemove from Slack, Discord, or team communication tools with access to sensitive information. How to offboard contractors

Credential Rotation 4

Rotate all shared API keysGenerate new keys for any services where you shared credentials with the freelancer. How to rotate API keys

Change shared account passwordsIf any account passwords were shared (which they should not have been), change them immediately. How to rotate passwords securely

Regenerate OAuth client secretsIf they had access to OAuth configuration, regenerate client secrets. How to rotate OAuth secrets

Update environment variables in productionAfter rotating keys, update all environment variables in your production deployment. How to update environment variables

Code Audit 5

Review all code changesGo through git history and review every commit. Look for unusual additions or modifications. How to review git history

Search for hardcoded credentialsCheck for API keys, passwords, or tokens hardcoded in the codebase. How to secure API keys

Check for backdoor endpointsLook for hidden admin routes, debug endpoints, or unusual API endpoints that bypass authentication. How to find backdoors

Review authentication and authorization codeCarefully review any changes to login, session management, or permission checking logic. How to audit authentication

Run automated security scanUse SAST tools or security scanners to identify potential vulnerabilities in the code. How to run security scans

Documentation and Handoff 4

Verify you have all source codeConfirm the complete codebase is in your repository. Check for any code on their personal machines. How to verify code ownership

Collect documentationGet documentation for any systems, APIs, or processes they created. How to document handoff

Get list of accounts and services usedObtain a list of all third-party services, accounts, or tools they set up for the project. How to inventory services

Transfer ownership of any accountsIf the freelancer created accounts on behalf of your project, transfer ownership to your team. How to transfer account ownership

Prevention Is Better Than Cure

The best security practice is to limit freelancer access from the start. Create limited-scope credentials, use staging environments instead of production, and avoid sharing admin access whenever possible.

Consider using time-limited access tokens and separate service accounts for contractors. This makes revocation easier and limits the blast radius if something goes wrong.

Should I give freelancers access to production credentials?

Avoid giving freelancers direct access to production credentials. Use staging environments, create limited-scope credentials, or proxy access through your team. If production access is necessary, rotate credentials immediately after the engagement ends.

How do I verify a freelancer did not leave a backdoor?

Review all code changes, especially authentication and authorization logic. Search for hardcoded credentials, unusual network requests, and hidden admin endpoints. Run automated security scans and consider a professional code review for critical projects.

What if the freelancer refuses to hand over code or credentials?

This is why contracts matter. Your agreement should specify code ownership and handoff requirements. If they refuse, rotate all credentials they might have accessed, revoke all access, and consult legal counsel if necessary.

TL;DR

Quick Checklist (5 Critical Items)

Immediate Access Revocation 5

Credential Rotation 4

Code Audit 5

Documentation and Handoff 4

Prevention Is Better Than Cure

Should I give freelancers access to production credentials?

How do I verify a freelancer did not leave a backdoor?

What if the freelancer refuses to hand over code or credentials?

Related Articles

Acquired Codebase Security Checklist

Team Access Security Checklist

How to Rotate API Keys

Scan the Handed-Off Code

Freelancer Handoff Security Checklist: 18-Item Guide