SvelteKit Launch Security Checklist: 16 Items Before Going Live

TL;DR

SvelteKit has server and client code. Before launch, add auth checks to server load functions and API routes, validate form action inputs, use hooks.server.ts for auth middleware, and verify environment variables are properly configured (PUBLIC_ prefix only for client-safe values).

Environment Variables 4

Check PUBLIC_ prefix usageOnly use PUBLIC_ for values safe to expose in browser

Verify env vars in productionCheck deployment platform has all required variables set

Use $env/static/private for secretsPrivate env vars are only available in server code

Search for hardcoded secretsGrep for api_key, sk_, pk_, password, secret, token

Server Routes and Actions 4

Add auth to server load functionsCheck session in +page.server.ts and +layout.server.ts

Secure API routes (+server.ts)All API endpoints should verify authentication

Validate form action inputsUse Zod or similar to validate all form submissions

Test endpoints without authCall API routes directly without session. Should return 401.

Authentication 4

Implement auth in hooks.server.tsUse handle hook to check auth on protected routes

Test protected pages directlyNavigate to protected URLs in incognito mode

Verify session handlingSessions should expire and logout should clear all cookies

Check CSRF protectionSvelteKit has built-in CSRF for form actions. Verify it's not disabled.

Security and Deployment 4

Check @html usage@html renders raw HTML. Only use with sanitized, trusted content.

Add security headersConfigure CSP and other headers in hooks.server.ts

Verify HTTPShttp:// should redirect to https://

Run automated security scanCatch issues you may have missed

Is SvelteKit secure for production?

SvelteKit is production-ready and handles many security concerns well. However, you need to add authentication to server routes, validate inputs in form actions, use hooks for auth middleware, and ensure environment variables are properly configured.

Does SvelteKit have CSRF protection?

Yes, SvelteKit has built-in CSRF protection for form actions. It automatically validates the origin header. Make sure you haven't disabled this by setting csrf: false in your config.