The security pages on this site, gathered into one hub. The model is defense in depth: validate input at the boundary, enforce authorization in the database, keep secrets off the client, verify every inbound integration, and harden the transport. Each page is atomic and lives in its home section; this MOC is the cross-cutting index.
Access control and data protection
- supabase-rls: Row Level Security is the boundary when clients hit the database directly. Enable it per table, pair
USINGwithWITH CHECK, and never shipservice_role. - auth-sessions: Session cookie flags (HttpOnly, Secure, SameSite), session vs JWT, refresh-token rotation, CSRF, and session fixation.
- secrets-and-env: What is public vs secret, why
NEXT_PUBLIC_/VITE_reach the client bundle, scanning with gitleaks, and rotation.
Input validation and injection defense
- python-security: Validate input with Pydantic, parameterize SQL, avoid
pickle, load secrets from the environment, and prevent SSRF. - prompt-injection-defense: Treat model input as untrusted, separate instructions from data, and constrain tool use against injection.
- mcp-security: Trust boundaries, tool permissions, and the injection surface when agents call MCP servers.
Integration and API security
- webhooks: Verify HMAC signatures on the raw body, dedup by event id, respond
2xxfast then process async, and guard against replay. - payments-stripe: Raw-body webhook signature verification, idempotency keys, server-side amounts, and fulfilling from events.
Transport and platform
- cloudflare-security-headers: CSP, HSTS, Referrer-Policy, and Permissions-Policy via Cloudflare Transform Rules.
Process and launch
- pre-launch-checklist: The security and readiness punch list to clear before traffic arrives: secrets, RLS, rate limiting, auth guards, and legal docs.