[{"data":1,"prerenderedAt":184},["ShallowReactive",2],{"blog-launch/svelte-app":3},{"id":4,"title":5,"body":6,"category":163,"date":164,"dateModified":164,"description":165,"draft":166,"extension":167,"faq":168,"featured":166,"headerVariant":170,"image":171,"keywords":171,"meta":172,"navigation":173,"ogDescription":174,"ogTitle":171,"path":175,"readTime":171,"schemaOrg":176,"schemaType":177,"seo":178,"sitemap":179,"stem":180,"tags":181,"twitterCard":182,"__hash__":183},"blog/blog/launch/svelte-app.md","SvelteKit Launch Security Checklist: 16 Items Before Going Live",{"type":7,"value":8,"toc":157},"minimark",[9,19,22,44,63,82,101,117,122,125,128],[10,11,12,16],"tldr",{},[13,14,15],"p",{},"TL;DR",[13,17,18],{},"SvelteKit has server and client code. Before launch, add auth checks to server load functions and API routes, validate form action inputs, use hooks.server.ts for auth middleware, and verify environment variables are properly configured (PUBLIC_ prefix only for client-safe values).",[20,21],"print-button",{},[23,24,27,32,36,40],"checklist-section",{"count":25,"title":26},"4","Environment Variables",[28,29],"checklist-item",{"description":30,"label":31},"Only use PUBLIC_ for values safe to expose in browser","Check PUBLIC_ prefix usage",[28,33],{"description":34,"label":35},"Check deployment platform has all required variables set","Verify env vars in production",[28,37],{"description":38,"label":39},"Private env vars are only available in server code","Use $env/static/private for secrets",[28,41],{"description":42,"label":43},"Grep for api_key, sk_, pk_, password, secret, token","Search for hardcoded secrets",[23,45,47,51,55,59],{"count":25,"title":46},"Server Routes and Actions",[28,48],{"description":49,"label":50},"Check session in +page.server.ts and +layout.server.ts","Add auth to server load functions",[28,52],{"description":53,"label":54},"All API endpoints should verify authentication","Secure API routes (+server.ts)",[28,56],{"description":57,"label":58},"Use Zod or similar to validate all form submissions","Validate form action inputs",[28,60],{"description":61,"label":62},"Call API routes directly without session. Should return 401.","Test endpoints without auth",[23,64,66,70,74,78],{"count":25,"title":65},"Authentication",[28,67],{"description":68,"label":69},"Use handle hook to check auth on protected routes","Implement auth in hooks.server.ts",[28,71],{"description":72,"label":73},"Navigate to protected URLs in incognito mode","Test protected pages directly",[28,75],{"description":76,"label":77},"Sessions should expire and logout should clear all cookies","Verify session handling",[28,79],{"description":80,"label":81},"SvelteKit has built-in CSRF for form actions. Verify it's not disabled.","Check CSRF protection",[23,83,85,89,93,97],{"count":25,"title":84},"Security and Deployment",[28,86],{"description":87,"label":88},"@html renders raw HTML. Only use with sanitized, trusted content.","Check @html usage",[28,90],{"description":91,"label":92},"Configure CSP and other headers in hooks.server.ts","Add security headers",[28,94],{"description":95,"label":96},"http:// should redirect to https://","Verify HTTPS",[28,98],{"description":99,"label":100},"Catch issues you may have missed","Run automated security scan",[102,103,104,111],"faq-section",{},[105,106,108],"faq-item",{"question":107},"Is SvelteKit secure for production?",[13,109,110],{},"SvelteKit is production-ready and handles many security concerns well. However, you need to add authentication to server routes, validate inputs in form actions, use hooks for auth middleware, and ensure environment variables are properly configured.",[105,112,114],{"question":113},"Does SvelteKit have CSRF protection?",[13,115,116],{},"Yes, SvelteKit has built-in CSRF protection for form actions. It automatically validates the origin header. Make sure you haven't disabled this by setting csrf: false in your config.",[118,119,121],"h3",{"id":120},"scan-your-sveltekit-app","Scan Your SvelteKit App",[13,123,124],{},"Find security issues automatically before launch.",[13,126,127],{},"Start Free Scan",[129,130,131,137,142,147,152],"related-articles",{},[132,133],"related-card",{"description":134,"href":135,"title":136},"Security checklist for Product Hunt launches. 12 essential items to verify before your launch day to handle traffic spik","/blog/launch/product-hunt","Product Hunt Launch Security Checklist: 12 Items Before Launch Day",[132,138],{"description":139,"href":140,"title":141},"Security checklist for public product launches. 16 essential items to verify before opening your product to the world, f","/blog/launch/public-launch","Public Launch Security Checklist: 16 Items Before Going Live",[132,143],{"description":144,"href":145,"title":146},"Pre-launch security checklist for Python APIs (FastAPI, Flask, Django). 16 essential items covering authentication, inpu","/blog/launch/python-api","Python API Launch Security Checklist: 16 Items Before Going Live",[132,148],{"description":149,"href":150,"title":151},"Security checklist for public API launches. 16 essential items to verify before opening your API to external developers,","/blog/launch/api-public-launch","API Public Launch Security Checklist: 16 Items Before Opening Your API",[132,153],{"description":154,"href":155,"title":156},"Security checklist for beta launches. 14 essential items to verify before inviting your first beta users, including data","/blog/launch/beta-launch","Beta Launch Security Checklist: 14 Items Before Inviting Beta Users",{"title":158,"searchDepth":159,"depth":159,"links":160},"",2,[161],{"id":120,"depth":162,"text":121},3,"launch","2026-02-16","Pre-launch security checklist for SvelteKit applications. 16 essential items covering server routes, load functions, and deployment security.",false,"md",[169],{"question":107,"answer":110},"orange",null,{},true,"Pre-launch security checklist for SvelteKit apps. 16 essential items before deploying.","/blog/launch/svelte-app","[object Object]","Article",{"title":5,"description":165},{"loc":175},"blog/launch/svelte-app",[],"summary_large_image","RVLSB1Puh8dtYYLMQ39-W9ZlYSmuSxhBEzdxS2w-t48",1775843935642]