The Security Checklist Every Startup Should Clear Before Launch
Engineering Team·FEB 05, 2026·9 min read
You don't need a security team to ship safely — you need to clear the basics that block 95% of real attacks. Here's the pre-launch checklist we run on every production system.
Authentication and Sessions
- Hash passwords with bcrypt or argon2 — never roll your own
- Use short-lived access tokens with refresh rotation
- Enforce secure, HttpOnly, SameSite cookies
- Offer MFA, at least for admin accounts
Authorization
- Check permissions on the server for every request, not just in the UI
- Default deny — explicitly grant access, never assume it
- Scope every database query by tenant or owner
Input and Output
- Parameterize every query — no string-concatenated SQL, ever
- Validate and sanitize all user input at the boundary
- Escape output to prevent XSS
- Set a strict Content-Security-Policy
Secrets and Config
- No secrets in the repo — use a secrets manager
- Rotate keys and tokens on a schedule
- Separate credentials per environment
Infrastructure
- Enforce HTTPS everywhere with HSTS
- Rate-limit auth endpoints and APIs
- Keep dependencies patched — automate the audit
- Set security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy
Before You Go Live
- Run an automated dependency and secret scan in CI
- Do a basic OWASP Top 10 review of critical flows
- Confirm logging captures auth events without logging secrets
- Have an incident plan — who gets paged, what gets shut off
Clearing this list won't make you unhackable, but it removes the easy wins that automated attackers depend on.