Security basics
What this layer solves
Security is not an audit checkbox on day one — it’s least privilege, secrets hygiene, and not trusting user input. Get the basics wrong and AI-generated code can leak keys or expose data.
Topics and defaults
| Topic | What to internalize | NK Wiki default posture |
|---|---|---|
| Secrets | API keys only in env vars / secret manager; never in Git | .env.local, Vercel env dashboard |
| Auth | Sessions/JWT; who can call which API | Supabase Auth + RLS |
| Input validation | Treat all client data as hostile | Zod or similar at API boundary |
| Dependencies | npm audit, pin versions for prod | Regular updates, not blind latest |
| HTTPS | Always in production | Let Vercel handle certs |
Outline: checklist before “real users”
- Rotate any key that ever hit a log or screenshot.
- RLS / authorization rules match your product rules — not “public read/write for dev convenience.”
- CORS and cookie settings intentional — not copy-pasted wildcards.
- Rate limiting on auth and expensive endpoints when you expose APIs.
Official & deep links
- OWASP Top 10 — categories of common web flaws
- Supabase RLS
Related
- What can go wrong — LLM-specific risks (injection, data handling)
Last reviewed: April 2026.
Last updated on