[{"data":1,"prerenderedAt":221},["ShallowReactive",2],{"blog-checklists/freelancer-handoff-checklist":3},{"id":4,"title":5,"body":6,"category":198,"date":199,"dateModified":199,"description":200,"draft":201,"extension":202,"faq":203,"featured":201,"headerVariant":206,"image":207,"keywords":207,"meta":208,"navigation":209,"ogDescription":210,"ogTitle":207,"path":211,"readTime":207,"schemaOrg":212,"schemaType":213,"seo":214,"sitemap":215,"stem":216,"tags":217,"twitterCard":219,"__hash__":220},"blog/blog/checklists/freelancer-handoff-checklist.md","Freelancer Handoff Security Checklist: 18-Item Guide",{"type":7,"value":8,"toc":192},"minimark",[9,16,19,22,47,68,87,109,128,133,136,139,161,180],[10,11,12],"tldr",{},[13,14,15],"p",{},"When a freelancer finishes, immediately revoke their access to all systems, rotate any credentials they touched, audit the code for security issues and backdoors, and verify you have all source code and documentation. 5 critical items must be done immediately, 9 important items within 48 hours, and 4 recommended items for complete security. Trust, but verify.",[13,17,18],{},"The freelancer did good work, the project is done, everyone is happy. Now comes the part nobody thinks about -- making sure they no longer have the keys to your kingdom. Most security incidents from contractor work happen after the engagement ends, not during it. Run through this list before you consider the handoff complete.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Revoke collaborator access and consider rotating deploy keys","Remove from GitHub/GitLab repository",[27,32],{"description":33,"label":34},"Remove from Vercel, Netlify, Railway, AWS, or any deployment platforms","Revoke access to hosting platforms",[27,36],{"description":37,"label":38},"Revoke Supabase, Firebase, or database admin access","Remove from database access",[27,40],{"description":41,"label":42},"Generate new keys for any services where you shared credentials","Rotate all shared API keys",[27,44],{"description":45,"label":46},"Check for API keys, passwords, or tokens hardcoded in the codebase","Search for hardcoded credentials",[23,48,51,54,57,60,64],{"title":49,"count":50},"Immediate Access Revocation","5",[27,52],{"description":53,"label":30},"Revoke collaborator access. If they had write access to the repo, consider rotating deploy keys. How to revoke GitHub access",[27,55],{"description":56,"label":34},"Remove from Vercel, Netlify, Railway, AWS, or any deployment platforms they had access to. How to revoke hosting access",[27,58],{"description":59,"label":38},"Revoke Supabase, Firebase, or database admin access. Delete any database users created for them. How to revoke database access",[27,61],{"description":62,"label":63},"Revoke access to Stripe dashboard, analytics, email services, and any other tools they used. How to revoke third-party access","Remove from third-party services",[27,65],{"description":66,"label":67},"Remove from Slack, Discord, or team communication tools with access to sensitive information. How to offboard contractors","Remove from communication channels",[23,69,72,75,79,83],{"title":70,"count":71},"Credential Rotation","4",[27,73],{"description":74,"label":42},"Generate new keys for any services where you shared credentials with the freelancer. How to rotate API keys",[27,76],{"description":77,"label":78},"If any account passwords were shared (which they should not have been), change them immediately. How to rotate passwords securely","Change shared account passwords",[27,80],{"description":81,"label":82},"If they had access to OAuth configuration, regenerate client secrets. How to rotate OAuth secrets","Regenerate OAuth client secrets",[27,84],{"description":85,"label":86},"After rotating keys, update all environment variables in your production deployment. How to update environment variables","Update environment variables in production",[23,88,90,94,97,101,105],{"title":89,"count":50},"Code Audit",[27,91],{"description":92,"label":93},"Go through git history and review every commit. Look for unusual additions or modifications. How to review git history","Review all code changes",[27,95],{"description":96,"label":46},"Check for API keys, passwords, or tokens hardcoded in the codebase. How to secure API keys",[27,98],{"description":99,"label":100},"Look for hidden admin routes, debug endpoints, or unusual API endpoints that bypass authentication. How to find backdoors","Check for backdoor endpoints",[27,102],{"description":103,"label":104},"Carefully review any changes to login, session management, or permission checking logic. How to audit authentication","Review authentication and authorization code",[27,106],{"description":107,"label":108},"Use SAST tools or security scanners to identify potential vulnerabilities in the code. How to run security scans","Run automated security scan",[23,110,112,116,120,124],{"title":111,"count":71},"Documentation and Handoff",[27,113],{"description":114,"label":115},"Confirm the complete codebase is in your repository. Check for any code on their personal machines. How to verify code ownership","Verify you have all source code",[27,117],{"description":118,"label":119},"Get documentation for any systems, APIs, or processes they created. How to document handoff","Collect documentation",[27,121],{"description":122,"label":123},"Obtain a list of all third-party services, accounts, or tools they set up for the project. How to inventory services","Get list of accounts and services used",[27,125],{"description":126,"label":127},"If the freelancer created accounts on behalf of your project, transfer ownership to your team. How to transfer account ownership","Transfer ownership of any accounts",[129,130,132],"h2",{"id":131},"prevention-is-better-than-cure","Prevention Is Better Than Cure",[13,134,135],{},"The best security practice is to limit freelancer access from the start. Create limited-scope credentials, use staging environments instead of production, and avoid sharing admin access whenever possible.",[13,137,138],{},"Consider using time-limited access tokens and separate service accounts for contractors. This makes revocation easier and limits the blast radius if something goes wrong.",[140,141,142,149,155],"faq-section",{},[143,144,146],"faq-item",{"question":145},"Should I give freelancers access to production credentials?",[13,147,148],{},"Avoid giving freelancers direct access to production credentials. Use staging environments, create limited-scope credentials, or proxy access through your team. If production access is necessary, rotate credentials immediately after the engagement ends.",[143,150,152],{"question":151},"How do I verify a freelancer did not leave a backdoor?",[13,153,154],{},"Review all code changes, especially authentication and authorization logic. Search for hardcoded credentials, unusual network requests, and hidden admin endpoints. Run automated security scans and consider a professional code review for critical projects.",[143,156,158],{"question":157},"What if the freelancer refuses to hand over code or credentials?",[13,159,160],{},"This is why contracts matter. Your agreement should specify code ownership and handoff requirements. If they refuse, rotate all credentials they might have accessed, revoke all access, and consult legal counsel if necessary.",[162,163,164,170,175],"related-articles",{},[165,166],"related-card",{"description":167,"href":168,"title":169},"Security audit for inherited projects","/blog/checklists/acquired-codebase-checklist","Acquired Codebase Security Checklist",[165,171],{"description":172,"href":173,"title":174},"Managing team access securely","/blog/checklists/team-access-checklist","Team Access Security Checklist",[165,176],{"description":177,"href":178,"title":179},"Step-by-step credential rotation","/blog/how-to/rotate-api-keys","How to Rotate API Keys",[181,182,185,189],"cta-box",{"href":183,"label":184},"/","Start Free Scan",[129,186,188],{"id":187},"scan-the-handed-off-code","Scan the Handed-Off Code",[13,190,191],{},"Get an automated security scan to catch issues you might have missed.",{"title":193,"searchDepth":194,"depth":194,"links":195},"",2,[196,197],{"id":131,"depth":194,"text":132},{"id":187,"depth":194,"text":188},"checklists","2026-01-28","Security checklist for receiving code from freelancers. Revoke access, audit credentials, review code quality, and secure your project after handoff.",false,"md",[204,205],{"question":145,"answer":148},{"question":151,"answer":154},"green",null,{},true,"Secure your project when receiving code from freelancers or contractors.","/blog/checklists/freelancer-handoff-checklist","[object Object]","HowTo",{"title":5,"description":200},{"loc":211},"blog/checklists/freelancer-handoff-checklist",[218],"Security Checklist","summary_large_image","OJFSDUP3koUXeNBTNoFE_LORyvSgvzFhbytZLcDpCL8",1775843931078]