The 5-Minute Security Audit Every Indie Hacker Should Run Before Launch
You've built something great. Before you share it with the world, take 5 minutes to make sure you're not accidentally exposing your API keys, database credentials, or source code to everyone who visits your site.
Want the automated version?
Our free scanner runs 19 checks in 30 seconds — covers everything in this checklist and more.
The 7-Point Checklist
This checklist covers the security issues we see most often in indie hacker and AI-built SaaS products. Each check takes under a minute. Total time: about 5 minutes.
Exposed API Keys in JavaScript Bundles
critical30 secWhat to look for: AI coding tools often put secret keys (Stripe sk_live_, OpenAI, AWS, Supabase service role) directly in client-side React components. These get compiled into JS bundles that every visitor downloads.
How to check: Run the free security scanner. It downloads your JS bundles and matches against 17 secret patterns.
Run free scanMissing Security Headers
high30 secWhat to look for: Missing Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options headers leave your app vulnerable to XSS, clickjacking, and MIME-sniffing attacks.
How to check: The same security scan checks all critical headers and tells you exactly which ones are missing with copy-paste fixes.
Check your headersExposed .env File
critical10 secWhat to look for: If your .env file is in the public directory or your server misconfiguration exposes it, anyone can access yourdomain.com/.env and see all your secrets — database URLs, API keys, JWT secrets.
How to check: Open your browser and go to yourdomain.com/.env — if you see your variables, you're exposed. Our scanner also checks this automatically.
Source Maps in Production
medium10 secWhat to look for: Source maps (.js.map files) expose your original unminified source code — component names, API routes, internal logic, comments, and sometimes hardcoded values. They're useful in development but should be disabled in production.
How to check: Check your build config. In Next.js: set productionBrowserSourceMaps: false in next.config.js. Our scanner detects exposed source maps.
Admin Panel Exposure
high30 secWhat to look for: Common admin routes like /admin, /dashboard/admin, /wp-admin, or /_next/data are sometimes accessible without authentication. Attackers scan for these automatically.
How to check: Try accessing your admin routes in an incognito window (not logged in). If you can see anything without auth, it's exposed.
HTTPS Configuration
high10 secWhat to look for: Your site should force HTTPS and redirect all HTTP traffic. Mixed content (loading HTTP resources on HTTPS pages) breaks trust signals for both users and AI systems.
How to check: Try accessing http://yourdomain.com — it should redirect to https://. If it doesn't, or if you see mixed content warnings, fix your configuration.
AI Visibility Check (Bonus)
info60 secWhat to look for: Security issues hurt AI visibility too. AI platforms deprioritize sites with security problems. While you're auditing security, check if ChatGPT and Perplexity can actually find and recommend your product.
How to check: Run a free AI visibility scan to check 25+ signals across crawlability, structured data, content quality, and more.
Run AI visibility scanThe Quick Score Card
After running through the checklist, score yourself:
| Grade | Criteria | Status |
|---|---|---|
| A | All 6 checks pass, no exposed secrets, all headers present | Ship it |
| B | No critical issues (no exposed keys), 1-2 missing headers | Ship, fix headers this week |
| C | Missing headers + source maps exposed | Fix before sharing publicly |
| D | Exposed .env or admin panel | Fix NOW before launch |
| F | Exposed API keys in JS bundles | STOP. Rotate keys immediately. |
Why This Matters More for AI-Built Apps
If you used Cursor, Claude, ChatGPT, v0, or Bolt to generate your code, the risk is higher. AI tools optimize for "it works" — not "it's secure." They routinely put secret keys in client components, skip security headers, and leave source maps enabled.
In our analysis of 100 AI-built apps, 34% had at least one exposed API key. Don't be in that group.
After Security: Check Your AI Visibility
Security and AI visibility are connected. AI platforms like ChatGPT and Perplexity deprioritize sites with trust issues. Once your security is clean, check if AI can actually find and recommend your product.
Free AI Visibility Scan
25+ signals. See if ChatGPT, Perplexity, and Gemini can find your product. Get your AI Visibility Score.
FAQ
How long does a basic security audit take?
With a free scanner like AI Exposure Tool, a basic 19-point security audit takes about 30 seconds. Manually checking the same things takes about 5 minutes if you know what to look for.
What security checks should I run before launching a SaaS?
Check for: 1) Exposed API keys in JavaScript bundles, 2) Missing security headers (CSP, HSTS, X-Frame-Options), 3) Exposed .env files, 4) Source maps enabled in production, 5) Admin panels accessible without auth, 6) HTTPS properly configured.
Is my .env file exposed?
Try accessing yourdomain.com/.env in a browser. If you see your environment variables, your .env file is publicly accessible. This often happens with misconfigured static hosting or when .env is accidentally placed in the public directory.