A condensed, auditable reference for people building web apps with AI — covering the security and architecture non-negotiables that most tutorials skip.
AI has made it possible to build and ship real web apps without a traditional development background. That's genuinely useful. The problem is that the things that make an app safe and production-ready — auth, access control, input validation, API security, secrets management — aren't covered in tutorials, aren't generated by default, and aren't obvious unless you already know to look for them.
Most people shipping AI-built apps have no idea what attack surface they're exposing. This checklist exists to change that.
- Solo founders and indie hackers building with AI (Cursor, Copilot, Claude, etc.)
- Non-developers shipping real products on modern stacks (Supabase, Vercel, Firebase, Railway)
- Anyone who can build something functional but isn't sure if it's safe
If you're a senior developer, most of this is second nature. If you're not, none of it is obvious — and that gap is what this closes.
The checklist is split into two parts that work together.
Part 1 — The Professional Developer Checklist covers:
- Core coding principles
- System design and scalability
- Security principles
- The Twelve-Factor App
- Continuous delivery and operations
Part 2 — Security and Deployment Non-Negotiables covers:
- Authentication and session management
- Authorization and access control
- Input validation and injection prevention
- API security
- Secrets and data security
- Dependencies and maintenance
- Solo deployment baseline
38 additional checklist items across 7 categories, each with the rule, why it matters, and a tag so you can audit against your codebase.
Before you build: Use it to write better prompts. Feed the relevant sections to your AI tool alongside your requirements. You'll get significantly better output than a prompt alone.
Before you ship: Run through it as a pre-launch checklist. Each item is written to be verifiable against your actual codebase — not just principles to agree with.
When auditing AI-generated code: Use it as a reference to check what the AI may have skipped. AI generates code that looks right. This tells you what to verify.
- OWASP Top 10
- The Twelve-Factor App
- OWASP Application Security Verification Standard
- Supabase Security Documentation
If something is wrong, missing, or outdated — open an issue or submit a PR. The goal is for this to stay current and honest, not comprehensive to the point of being unusable.
Stack-specific supplements (Firebase, PlanetScale, AWS Amplify, etc.) are welcome as separate files.
MIT. Use it, share it, build on it.