# Security Checklist for Web Apps Interactive, implementation-focused security checklist for full-stack web applications. 95 items across 10 sections covering React frontends, FastAPI backends, Postgres/DuckDB databases, Cloudflare edge protection, infrastructure, MCP servers, server hardening, and authentication. Each item explains the risk in plain English and shows the fix as working code. Built from real production hardening of 20+ microservices. ## Links - App: https://www.tigzig.com/security - Live Examples: https://www.tigzig.com/security-examples - Full checklist (95 items, AI-readable): /ai/apps/security-checklist-full.md - Downloadable from the page: click "Download .md" button ## Tags security, infrastructure, fastapi, react, cloudflare ## Sections 1. **React Frontend (Vite + Vercel)** — Security headers, CSP, CORS, rate limiting, login brute force, environment variables, source maps, iframe security, URL validation, DOMPurify, Auth0 config, JWT validation, cookie hardening, backend URL exposure, self-host CDN assets, dev server network exposure, serverless proxy architecture, RPC obfuscation, noscript fallback, global daily rate limit, HTML entity escaping 2. **FastAPI Backend** — CORS (wildcard vs explicit origins), rate limiting (SlowAPI), concurrency limiting, SQL validation stack (incl. sqlglot parser), admin write whitelist, error sanitization (global handler), API key auth, client IP extraction, webhook verification, SSRF protection (redirect validation), API monitoring, file upload validation, SSL certificate verification, centralized logging & PII retention, temp file cleanup, read-only enforcement 3. **Database Layer (Postgres)** — Indexes, statement timeout, read-only roles, Supabase RLS, connection pool config, SECURITY DEFINER function audit, least privilege table grants 4. **DuckDB-Specific** — Read-only mode, resource limits, query interrupt, container limits, file locking, asyncio event loop blocking 5. **Perimeter / Edge Protection (Cloudflare)** — Orange cloud proxy, grey cloud audit, browser integrity + security level, JS challenge WAF rule on frontends, native WAF rate limit, edge rate limiting via Workers (per-domain tiers), zone-level IP blocking 6. **Infrastructure** — Credential management, .gitignore, dependency supply chain, shared backend blast radius, deploy gap verification 7. **Incident Response** — Active attack vs discovered incident protocol, credential rotation, secret rotation plan, incident investigation with centralized logs 8. **MCP Server Security** — Client IP forwarding, open vs secured endpoints, transport compatibility, failed-auth rate limiting 9. **Server Security (VPS)** — SSH key-only access, fail2ban, firewall, non-root user, Docker image cleanup 10. **Authentication & Authorization** — When OAuth is mandatory, backend token verification, API keys never in browser, RBAC, OAuth for MCP servers, one-time tokens, signed URLs, choosing an OAuth provider ## Live Examples Hardened apps with source code available: - **QRep — Security Analytics** — Full-stack (React + FastAPI), both hardened. Frontend: github.com/amararun/qrep-security-analytics, Backend: github.com/amararun/qrep-backend-fastapi - **Database MCP Server** — FastAPI MCP server with Auth0 OAuth secured endpoint. Repo: github.com/amararun/shared-fastapi-database-mcp - **Yahoo Finance MCP Server** — FastAPI MCP server, open endpoint only. Repo: github.com/amararun/shared-yfin-coolify - **DuckDB Dashboards Backend** — Consolidated FastAPI backend for DuckDB. Repo: github.com/amararun/shared-duckdb-dashboards-backend ## Features - Section filter buttons to view items by category - Full-text search across all item fields (title, risk, solution, fix, notes) - Collapsible cards with THE RISK / THE SOLUTION / THE FIX structure - Download as .md file for AI coders to use in their workflows - Mobile responsive ## For AI Coders The full checklist (95 items) is available at /ai/apps/security-checklist-full.md — same format as the "Download .md" button on the page. Each item includes the risk, solution in plain English, and working code fix. Feed it to your AI coding assistant when setting up a new repo or auditing an existing one.