> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rocket.new/llms.txt
> Use this file to discover all available pages before exploring further.

# Security checklist

> Rocket.new security best practices - API keys, auth, RLS, and privacy.

export const LlmsDirective = () => <blockquote className="llms-directive">
    For the complete documentation index, see <a href="/llms.txt">llms.txt</a>.
    For a lightweight markdown version of this page, append .md to the URL.
  </blockquote>;

<LlmsDirective />

Rocket generates production-grade code, but security is a shared responsibility. This guide covers the essential security practices you should follow before launching any app - especially apps that handle user data, payments, or sensitive information.

<Warning>
  Never ship an app with API keys exposed in client-side code or authentication disabled on protected routes. Review this checklist before every production deployment.
</Warning>

## API key management

API keys grant access to services like Supabase, Stripe, and third-party APIs. Exposing them in your frontend code means anyone can see and misuse them.

<Check>Store all API keys in environment variables, never in source code</Check>
<Check>Use server-side API routes to call external services - never make API calls with secret keys from the browser</Check>
<Check>Use separate API keys for development/staging and production</Check>
<Check>Rotate API keys immediately if you suspect they've been exposed</Check>
<Check>Review your codebase for hardcoded keys before publishing (search for strings starting with `sk_`, `key_`, or `secret`)</Check>

**Ask Rocket to help:**

```plaintext wrap theme={null}
Move all API keys to environment variables and make sure they're only accessed from server-side API routes.
```

<Info>
  Rocket stores environment variables securely and injects them at build time. They are never exposed in the client-side bundle.
</Info>

## Authentication

If your app has user accounts, protected pages, or personalized content, you need authentication.

<Check>Enable authentication for any page that shows user-specific data</Check>
<Check>Protect all API routes that create, update, or delete data</Check>
<Check>Implement sign-up, log-in, and password reset flows</Check>
<Check>Use secure session management (Rocket + Supabase handle this by default)</Check>
<Check>Add email verification for new accounts when possible</Check>
<Check>Redirect unauthenticated users to the login page instead of showing empty states</Check>

**Ask Rocket to help:**

```plaintext wrap theme={null}
Add authentication to my app using Supabase Auth. Protect the dashboard and settings pages so only logged-in users can access them. Add sign up, log in, and password reset pages.
```

## Row-level security (RLS)

If you're using Supabase, row-level security ensures users can only access their own data at the database level - even if there's a bug in your application code.

<Check>Enable RLS on every Supabase table that stores user data</Check>
<Check>Create policies that restrict reads and writes to the authenticated user's own rows</Check>
<Check>Test policies by trying to access another user's data (you should get an empty result)</Check>
<Check>Never use the Supabase `service_role` key in client-side code - it bypasses RLS entirely</Check>

**Ask Rocket to help:**

```plaintext wrap theme={null}
Enable row-level security on all Supabase tables. Add policies so users can only read and write their own data. Make sure the service_role key is only used in server-side API routes.
```

<Note>
  RLS is the last line of defense. Even if your API has a bug that sends the wrong query, RLS will prevent data leaks at the database level.
</Note>

## Environment variables

Environment variables keep sensitive configuration out of your source code.

<Check>All secrets (API keys, database URLs, webhook secrets) are stored as environment variables</Check>
<Check>Environment variables are set in Rocket's deployment settings, not committed to code</Check>
<Check>Client-side environment variables (prefixed with `NEXT_PUBLIC_`) contain only non-sensitive values</Check>
<Check>Server-side environment variables are only accessible from API routes and server components</Check>

<Warning>
  Any environment variable prefixed with `NEXT_PUBLIC_` is visible to anyone using your app. Only use this prefix for values that are safe to expose publicly, like your Supabase project URL (not your secret key).
</Warning>

For step-by-step instructions on adding and managing environment variables in the editor, see [Environment variables](/build/editor/env-variables).

## HTTPS and transport security

<Check>Your app is served over HTTPS (Rocket enforces this automatically on all deployments)</Check>
<Check>External API calls use HTTPS endpoints, not HTTP</Check>
<Check>WebSocket connections use WSS (secure WebSocket), not WS</Check>

Rocket automatically provisions SSL certificates for all deployed apps, including custom domains. You don't need to configure HTTPS manually.

## Privacy considerations

<Check>Only collect user data you actually need</Check>
<Check>Display a privacy policy that explains what data you collect and how it's used</Check>
<Check>Add cookie consent notices if you use analytics or tracking (required in the EU)</Check>
<Check>Provide a way for users to delete their account and data</Check>
<Check>Don't log sensitive information (passwords, full credit card numbers, personal identifiers) in server logs</Check>

**Ask Rocket to help:**

```plaintext wrap theme={null}
Add a privacy policy page to my app. Include a cookie consent banner. Add an account deletion option in user settings.
```

## Security audit prompt

Before each deployment, ask Rocket to run a security check on your app:

```plaintext wrap theme={null}
Review my app for security issues. Check for exposed API keys, missing authentication on protected routes, Supabase RLS status, and any client-side code that handles sensitive data.
```

This won't catch everything, but it's a fast way to surface common mistakes.

## What's next?

<CardGroup cols={2}>
  <Card title="Add payments" icon="credit-card" href="/learn/tutorials/adding-payments">
    Connect Stripe and handle payments securely.
  </Card>

  <Card title="Launch your site" icon="rocket" href="/build/launch-web/launch-your-site">
    Test in staging before going live.
  </Card>

  <Card title="Compliance" icon="file-shield" href="/build/polish/compliance">
    Accessibility, legal, and regulatory considerations.
  </Card>

  <Card title="Your first task" icon="play" href="/learn/tutorials/your-first-task">
    Build and deploy your first app from scratch.
  </Card>
</CardGroup>
