Most startups think about security after something goes wrong. A breach at an early stage can be fatal. These ten checks can be completed in a weekend.
1. Enable HTTPS Everywhere
Every page must be served over HTTPS. Get a free TLS certificate from Let's Encrypt. Redirect all HTTP traffic and implement HSTS.
2. Configure HTTP Security Headers
At minimum set: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and Referrer-Policy.
3. Use Parameterised Queries
Never build SQL queries by string-concatenating user input. Always use parameterised queries or prepared statements.
4. Hash Passwords Correctly
Use bcrypt, Argon2, or scrypt. Never use MD5, SHA1, or SHA256 for password hashing.
5. Rate-Limit Auth Endpoints
Prevent credential stuffing and brute-force attacks against your login, registration, and password-reset endpoints.
6. Apply Least Privilege
Every component — database users, API keys, cloud IAM roles — should have the minimum permissions needed. Audit quarterly.
7. Keep Dependencies Updated
Enable automated updates (Dependabot, Renovate). Subscribe to security advisories. Budget time each sprint for patching.
8. Audit Cloud Storage Permissions
Before launch, audit every bucket. Ensure no sensitive data is publicly accessible. Use signed URLs for private objects.
9. Set Up Logging and Alerting
Log all auth events, access control failures, and sensitive data access. Alert on anomalous patterns.
10. Write an Incident Response Plan
Document what you'll do if you discover a breach. Who contains it? Who notifies users? A one-page plan written in advance means you'll respond faster.