React App Launch Security Checklist: 15 Items Before Going Live

TL;DR

React apps run entirely in the browser, so never put secrets in your code. Before launch, verify no API keys are exposed, check that sensitive operations go through a backend, test authentication flows, and ensure your build doesn't include source maps in production.

React is a client-side framework. Everything in your React code is visible to anyone who views your site. This fundamental fact drives most security concerns for React apps. This checklist covers what you need to verify before launch.

API Keys and Secrets 4

Verify no secret keys in client codeAll code is visible in browser. Secret keys must stay on the server.

Check REACT_APP_ environment variablesThese are embedded in the build. Only use for public values.

Search source for hardcoded secretsGrep for sk_, pk_, api_key, password, secret, token

Review Network tab in DevToolsCheck no sensitive data is exposed in API requests/responses

API and Backend Security 4

Sensitive operations go through backendPayments, emails, and admin functions need server-side processing

Backend validates all inputsClient validation can be bypassed. Server must validate everything.

Backend checks authenticationDon't trust client-side auth state. Verify on every API call.

CORS is configured correctlyOnly allow requests from your domain, not *

Authentication 4

Protected routes redirect without authNavigate directly to protected URLs in incognito mode

Tokens stored securelyPrefer httpOnly cookies over localStorage for auth tokens

Logout clears all auth stateTokens should be removed, and back button shouldn't work

Session expiration worksOld sessions should expire and require re-login

Build and Deployment 3

Source maps disabled in productionSource maps expose your original code. Disable for production builds.

HTTPS enforcedhttp:// should redirect to https://

Check for dangerouslySetInnerHTMLIf used, ensure content is sanitized to prevent XSS

Is React secure by default?

React escapes content by default, which prevents most XSS attacks. However, React apps can still have security issues: exposed API keys, insecure API calls, improper use of dangerouslySetInnerHTML, and authentication handled only on the client side.

How do I secure API keys in a React app?

Never put secret API keys in React code. All code sent to the browser is visible. For sensitive operations, create a backend API that makes the calls with your secret keys, and have React call your backend instead.

Should I use localStorage for auth tokens?

LocalStorage is vulnerable to XSS attacks. If an attacker can run JavaScript on your page, they can read localStorage. HttpOnly cookies are more secure for auth tokens because JavaScript can't access them.

Scan Your React App

Find exposed secrets and security issues automatically.

Start Free Scan