[{"data":1,"prerenderedAt":211},["ShallowReactive",2],{"blog-checklists/mvp-security-checklist":3},{"id":4,"title":5,"body":6,"category":187,"date":188,"dateModified":189,"description":190,"draft":191,"extension":192,"faq":193,"featured":191,"headerVariant":196,"image":197,"keywords":197,"meta":198,"navigation":199,"ogDescription":200,"ogTitle":197,"path":201,"readTime":197,"schemaOrg":202,"schemaType":203,"seo":204,"sitemap":205,"stem":206,"tags":207,"twitterCard":209,"__hash__":210},"blog/blog/checklists/mvp-security-checklist.md","MVP Security Checklist: 12-Item Guide for Minimum Viable Security",{"type":7,"value":8,"toc":180},"minimark",[9,16,19,22,47,63,81,100,105,108,111,115,118,121,124,127,149,168],[10,11,12],"tldr",{},[13,14,15],"p",{},"MVPs need enough security to protect user data without delaying launch. Focus on the essentials: no exposed API keys, database access controls, HTTPS, and basic auth. 4 critical items must be fixed before any users, 4 important items should be done soon, and 4 recommended items can wait. Skip enterprise compliance for now, but never skip protecting your users' data.",[13,17,18],{},"You do not need SOC 2 to ship an MVP. You do need to make sure someone cannot walk off with your users' data because you left the database wide open. This is the bare minimum that lets you sleep at night after launch day, nothing more and nothing less.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Search for sk_, pk_, api_key, secret in your codebase","No hardcoded API keys in code",[27,32],{"description":33,"label":34},"RLS for Supabase, Security Rules for Firebase","Database access control enabled",[27,36],{"description":37,"label":38},"All traffic encrypted, no mixed content warnings","HTTPS enabled",[27,40],{"description":41,"label":42},"Users can only access their own data and features","Authentication on protected features",[27,44],{"description":45,"label":46},"Log in as User A and verify you cannot see User B's data","User data isolation tested",[23,48,51,54,57,60],{"title":49,"count":50},"Must Have Before Any Users","4",[27,52],{"description":53,"label":30},"Search for sk_, pk_, api_key, secret. All secrets must be in environment variables. How to secure API keys",[27,55],{"description":56,"label":34},"RLS for Supabase, Security Rules for Firebase, or equivalent for your database. How to set up database security",[27,58],{"description":59,"label":38},"All traffic encrypted. Most hosting providers handle this automatically. How to set up HTTPS",[27,61],{"description":62,"label":42},"Users can only access their own data and features. How to implement auth checks",[23,64,66,70,73,77],{"title":65,"count":50},"Should Have",[27,67],{"description":68,"label":69},"Verify .env, credentials, and keys are not in your repository. How to secure .env files",".gitignore includes sensitive files",[27,71],{"description":72,"label":46},"Log in as User A and verify you cannot see User B's data. How to test data isolation",[27,74],{"description":75,"label":76},"Test XSS: enter \u003Cscript>alert(1)\u003C/script> in text fields. How to prevent XSS","Basic input validation",[27,78],{"description":79,"label":80},"Use bcrypt or argon2. Never store plain text passwords. How to hash passwords","Password hashing (if using custom auth)",[23,82,84,88,92,96],{"title":83,"count":50},"Nice to Have for MVP",[27,85],{"description":86,"label":87},"X-Frame-Options, CSP, HSTS. Important but can add post-launch. How to configure security headers","Security headers configured",[27,89],{"description":90,"label":91},"Prevents brute force. Add if you see abuse. How to implement rate limiting","Rate limiting on auth endpoints",[27,93],{"description":94,"label":95},"Set up Dependabot or similar for dependency updates. How to set up Dependabot","Automated security scanning",[27,97],{"description":98,"label":99},"Sentry or similar to catch issues early. How to set up error monitoring","Error monitoring",[101,102,104],"h2",{"id":103},"what-to-skip-for-now","What to Skip for Now",[13,106,107],{},"For an MVP, you can defer: SOC 2 compliance, penetration testing, elaborate logging systems, multi-factor authentication, and complex rate limiting. These become important as you scale, but they shouldn't block your launch.",[13,109,110],{},"However, never skip: protecting API keys, database access controls, HTTPS, and basic authentication. A security incident with your first users will damage your reputation more than a delayed launch.",[101,112,114],{"id":113},"when-to-add-more-security","When to Add More Security",[13,116,117],{},"Add more security as you hit these milestones:",[13,119,120],{},"10+ users: Add basic monitoring and error tracking.",[13,122,123],{},"100+ users: Add rate limiting, security headers, and automated dependency updates.",[13,125,126],{},"1000+ users or any payment data: Consider professional security audit, compliance requirements, and dedicated security practices.",[128,129,130,137,143],"faq-section",{},[131,132,134],"faq-item",{"question":133},"How much security does an MVP need?",[13,135,136],{},"An MVP needs enough security to protect user data and your reputation. At minimum: no exposed API keys, database access controls, HTTPS, and basic authentication. Skip enterprise features like SOC 2, but never skip user data protection.",[131,138,140],{"question":139},"Should I delay launch for security?",[13,141,142],{},"Only delay if you have critical vulnerabilities like exposed database credentials or missing authentication on sensitive endpoints. Don't delay for nice-to-have security features. Ship with minimum viable security and improve iteratively.",[131,144,146],{"question":145},"What if I get hacked as an MVP?",[13,147,148],{},"Even MVPs can face attacks. If this checklist is complete, you're protected from the most common vulnerabilities. Have an incident response plan: know how to reset credentials, notify users, and restore from backups.",[150,151,152,158,163],"related-articles",{},[153,154],"related-card",{"description":155,"href":156,"title":157},"What to check before your first users","/blog/checklists/first-users-checklist","First Users Security Checklist",[153,159],{"description":160,"href":161,"title":162},"Full security checklist for startups","/blog/checklists/startup-security-checklist","Startup Security Checklist",[153,164],{"description":165,"href":166,"title":167},"Step-by-step guide to hiding your keys","/blog/how-to/hide-api-keys","How to Hide API Keys",[169,170,173,177],"cta-box",{"href":171,"label":172},"/","Start Free Scan",[101,174,176],{"id":175},"launch-ready-security-scan","Launch-Ready Security Scan",[13,178,179],{},"Verify your MVP is secure in minutes. Our scanner checks all the essentials.",{"title":181,"searchDepth":182,"depth":182,"links":183},"",2,[184,185,186],{"id":103,"depth":182,"text":104},{"id":113,"depth":182,"text":114},{"id":175,"depth":182,"text":176},"checklists","2026-02-02","2026-02-19","Security checklist for MVPs. The minimum security you need before launching your minimum viable product to real users.",false,"md",[194,195],{"question":133,"answer":136},{"question":139,"answer":142},"green",null,{},true,"Minimum security for your MVP. Essential security before real users.","/blog/checklists/mvp-security-checklist","[object Object]","HowTo",{"title":5,"description":190},{"loc":201},"blog/checklists/mvp-security-checklist",[208],"Security Checklist","summary_large_image","cdp_wp90YQhAIVhWemSwmXQBiYmNBIdNwjP4VNENb6A",1775843918547]