Developers9 min readUpdated May 5, 2026
Security and production checklist
Secure secrets, actions, provider keys, customer data, migrations, and deployment operations before production use.
Production security should be clear and boring: least privilege, server-side secrets, safe defaults, migrations from the repo, and visible operational logs.
Environment
- Set Supabase URL and service key on the API server only.
- Set AI provider keys server-side only.
- Set Stripe secret, webhook secret, plan price IDs, coupons, and app URL correctly.
- Set email notification sender, reply-to, and Resend or SMTP credentials server-side.
- Set Vapi credentials server-side if voice is enabled.
Actions security
- Store action secrets encrypted and never expose them to browser.
- Use outbound domain allowlists.
- Require confirmation or approval for write actions.
- Set action timeouts and log readable failure reasons.
Database
- Apply Drizzle migrations from the project.
- Do not delete migration files listed in the Drizzle journal.
- Keep RLS policies and service role access intentional.
- Use cleanup scripts only for rows with demo seed markers.