Skip to main content
Rocket generates production-grade code, but security is a shared responsibility. This guide covers the essential security practices you should follow before launching any app - especially apps that handle user data, payments, or sensitive information.
Never ship an app with API keys exposed in client-side code or authentication disabled on protected routes. Review this checklist before every production deployment.

API key management

API keys grant access to services like Supabase, Stripe, and third-party APIs. Exposing them in your frontend code means anyone can see and misuse them.
Store all API keys in environment variables, never in source code
Use server-side API routes to call external services - never make API calls with secret keys from the browser
Use separate API keys for development/staging and production
Rotate API keys immediately if you suspect they’ve been exposed
Review your codebase for hardcoded keys before publishing (search for strings starting with sk_, key_, or secret)
Ask Rocket to help: 
Move all API keys to environment variables and make sure they're only accessed from server-side API routes.
Rocket stores environment variables securely and injects them at build time. They are never exposed in the client-side bundle.

Authentication

If your app has user accounts, protected pages, or personalized content, you need authentication.
Enable authentication for any page that shows user-specific data
Protect all API routes that create, update, or delete data
Implement sign-up, log-in, and password reset flows
Use secure session management (Rocket + Supabase handle this by default)
Add email verification for new accounts when possible
Redirect unauthenticated users to the login page instead of showing empty states
Ask Rocket to help: 
Add authentication to my app using Supabase Auth. Protect the dashboard and settings pages so only logged-in users can access them. Add sign up, log in, and password reset pages.

Row-level security (RLS)

If you’re using Supabase, row-level security ensures users can only access their own data at the database level - even if there’s a bug in your application code.
Enable RLS on every Supabase table that stores user data
Create policies that restrict reads and writes to the authenticated user’s own rows
Test policies by trying to access another user’s data (you should get an empty result)
Never use the Supabase service_role key in client-side code - it bypasses RLS entirely
Ask Rocket to help: 
Enable row-level security on all Supabase tables. Add policies so users can only read and write their own data. Make sure the service_role key is only used in server-side API routes.
RLS is the last line of defense. Even if your API has a bug that sends the wrong query, RLS will prevent data leaks at the database level.

Environment variables

Environment variables keep sensitive configuration out of your source code.
All secrets (API keys, database URLs, webhook secrets) are stored as environment variables
Environment variables are set in Rocket’s deployment settings, not committed to code
Client-side environment variables (prefixed with NEXT_PUBLIC_) contain only non-sensitive values
Server-side environment variables are only accessible from API routes and server components
Any environment variable prefixed with NEXT_PUBLIC_ is visible to anyone using your app. Only use this prefix for values that are safe to expose publicly, like your Supabase project URL (not your secret key).
For step-by-step instructions on adding and managing environment variables in the editor, see Environment variables.

HTTPS and transport security

Your app is served over HTTPS (Rocket enforces this automatically on all deployments)
External API calls use HTTPS endpoints, not HTTP
WebSocket connections use WSS (secure WebSocket), not WS
Rocket automatically provisions SSL certificates for all deployed apps, including custom domains. You don’t need to configure HTTPS manually.

Privacy considerations

Only collect user data you actually need
Display a privacy policy that explains what data you collect and how it’s used
Add cookie consent notices if you use analytics or tracking (required in the EU)
Provide a way for users to delete their account and data
Don’t log sensitive information (passwords, full credit card numbers, personal identifiers) in server logs
Ask Rocket to help: 
Add a privacy policy page to my app. Include a cookie consent banner. Add an account deletion option in user settings.

Security audit prompt

Before each deployment, ask Rocket to run a security check on your app: 
Review my app for security issues. Check for exposed API keys, missing authentication on protected routes, Supabase RLS status, and any client-side code that handles sensitive data.
This won’t catch everything, but it’s a fast way to surface common mistakes.

What’s next?

Add payments

Connect Stripe and handle payments securely.

Launch your site

Test in staging before going live.

Compliance

Accessibility, legal, and regulatory considerations.

Your first task

Build and deploy your first app from scratch.