# SecureStartKit > SecureStartKit is the security-first Next.js SaaS template for solo developers who refuse to ship vulnerable code. Backend-only data access, Zod validation on every input, RLS deny-all by default, signature-verified Stripe webhooks, and one-time pricing. The site you are reading IS the template running in production. The codebase enforces a small number of architectural rules that make the security posture verifiable rather than aspirational: every Server Action validates input with Zod, every database query runs through `createAdminClient()` server-side (the browser Supabase client is used only for authentication), every Stripe webhook verifies its signature before any event is processed, and no sensitive secret carries the `NEXT_PUBLIC_` prefix. The blog and free tools document each of these patterns in depth. ## Architecture and security - [Backend-only data access](https://securestartkit.com/blog/backend-only-data-access-the-architectural-pattern-that-prevents-supabase-leaks-2026): the canonical pattern that prevents Supabase leaks. The architectural prerequisite for everything else. - [The Next.js security hardening checklist (12 steps)](https://securestartkit.com/blog/the-nextjs-security-hardening-checklist-12-steps-to-ship-a-secure-app): production hardening checklist organized into 12 enforceable steps. - [OWASP Top 10 for Next.js and Supabase apps (2026)](https://securestartkit.com/blog/owasp-top-10-for-nextjs-and-supabase-apps-2026): every OWASP Top 10:2025 category mapped to a Next.js + Supabase failure pattern and the architectural defense. - [The security architecture most SaaS templates skip](https://securestartkit.com/blog/the-security-architecture-most-saas-templates-skip): five architectural patterns most starter kits miss. - [Why security-first matters for SaaS](https://securestartkit.com/blog/why-security-first-saas): the case for treating security as architecture, not an afterthought. ## Authentication and access control - [Supabase authentication in Next.js App Router (2026)](https://securestartkit.com/blog/supabase-authentication-in-next-js-app-router-the-complete-2026-guide): the authoritative reference for Supabase auth in App Router. - [Supabase OAuth, magic links, MFA in Next.js (2026)](https://securestartkit.com/blog/supabase-oauth-magic-links-and-mfa-the-secure-implementation-guide): PKCE flow, redirect URL allowlists, AAL2 step-up, and 5 implementation failure modes. - [JWT and session management in Supabase + Next.js](https://securestartkit.com/blog/jwt-and-session-management-in-supabase-nextjs-explained): ES256 asymmetric signing, `getClaims` vs `getUser` vs `getSession`, the Custom Access Token Hook pattern. - [Multi-tenancy and RBAC in Supabase, the secure pattern](https://securestartkit.com/blog/multi-tenancy-and-rbac-in-supabase-the-secure-pattern): column-based shared-schema model, JWT claims, RLS with `WITH CHECK`, the composite-index rule. - [Supabase RLS policies that actually work (2026)](https://securestartkit.com/blog/supabase-rls-policies-that-actually-work-2026): the RLS deep-dive with debugging walkthroughs and real-world patterns. - [proxy.ts authentication, route protection with Supabase](https://securestartkit.com/blog/nextjs-proxy-ts-authentication-how-to-protect-routes-with-supabase-2026): middleware-layer auth gating. ## Application security and hardening - [CSRF, XSS, and SQL injection prevention in Next.js](https://securestartkit.com/blog/csrf-xss-sql-injection-prevention-in-nextjs-the-complete-guide): three-layer defense architecture (Origin/Host checks, nonce-based CSP, PostgREST auto-parameterization). - [Server Actions + Zod, the complete guide](https://securestartkit.com/blog/next-js-server-actions-zod-the-complete-guide-to-type-safe-form-validation): validate-then-authorize-then-query pattern, Zod 4 syntax, React 19 `useActionState`. - [How to rate-limit Next.js Server Actions](https://securestartkit.com/blog/how-to-rate-limit-nextjs-server-actions-before-they-get-abused): rate limiting patterns for the Server Action surface. - [Secure `use cache` in Next.js 16](https://securestartkit.com/blog/next-js-use-cache-directive-complete-guide-2026): three trust models, cookies/headers rule, three real Next.js cache CVEs. ## Data layer and secrets - [Exposed API keys, how AI tools leak secrets](https://securestartkit.com/blog/exposed-api-keys-how-ai-tools-leak-your-secrets-and-how-to-lock-them-down): Google's $82K incident, 5,000+ repos leaking ChatGPT keys, lockdown patterns. - [Next.js environment variables, the leak prevention guide](https://securestartkit.com/blog/nextjs-environment-variables-the-leak-prevention-guide): 6 distinct leak modes specific to Next.js 15/16 and the architectural defenses. - [Secure file uploads with Next.js + Supabase Storage](https://securestartkit.com/blog/secure-file-uploads-nextjs-supabase-storage-2026): upload validation, MIME-type enforcement, signed URLs. - [Supabase vs Firebase in 2026](https://securestartkit.com/blog/supabase-vs-firebase-in-2026-which-backend-for-your-saas): backend choice trade-offs for SaaS. ## Payments and monetization - [How to add Stripe payments to Next.js using Server Actions (2026)](https://securestartkit.com/blog/how-to-add-stripe-payments-to-next-js-using-server-actions-2026-guide): the one-time payments guide with a full code walkthrough. - [Stripe webhook signature verification in Next.js](https://securestartkit.com/blog/stripe-webhook-signature-verification-in-nextjs): debugging-first deep dive on 5 signature-verification failure modes. - [One-time vs subscription SaaS billing (comparison)](https://securestartkit.com/compare/one-time-vs-subscription-saas-billing): decision framework grounded in the 6 mechanical Stripe differences. ## Production readiness - [Next.js error handling with error.tsx + Sentry (2026)](https://securestartkit.com/blog/next-js-error-handling-error-tsx-sentry-setup-2026): error boundary patterns and Sentry setup. - [Next.js testing with Vitest + Playwright for SaaS (2026)](https://securestartkit.com/blog/next-js-testing-vitest-playwright-saas-2026): testing security-critical code. - [Pre-launch security audit, the 12 checks every SaaS needs](https://securestartkit.com/blog/pre-launch-security-audit-the-12-checks-every-saas-needs): 6-phase audit framework with BLOCK/FIX/ACCEPT triage. - [How much does a SaaS cost to run in 2026](https://securestartkit.com/blog/how-much-does-a-saas-cost-to-run-in-2026): real cost breakdown for indie SaaS. - [How to send emails in Next.js with React Email + Resend (2026)](https://securestartkit.com/blog/how-to-send-emails-in-next-js-with-react-email-and-resend-2026-guide): transactional email patterns. ## AI-generated code security - [Vibe coding security, the complete 2026 guide](https://securestartkit.com/blog/vibe-coding-security-the-complete-2026-guide): umbrella post defining vibe coding as a security category. - [The vibe coding security checklist](https://securestartkit.com/blog/the-vibe-coding-security-checklist-how-to-audit-your-ai-generated-app): audit framework for AI-generated code. - [Why 170+ vibe-coded apps got hacked](https://securestartkit.com/blog/why-170-vibe-coded-apps-got-hacked-and-how-to-actually-secure-your-supabase-app): pattern analysis of 2026 vibe-coding breaches. - [From vibe-coded prototype to secure SaaS, the migration playbook](https://securestartkit.com/blog/from-vibe-coded-prototype-to-secure-saas-the-migration-playbook): 4-phase migration playbook (audit, triage, harden, verify). ## Stack and launch - [Why we chose Next.js + Supabase + Stripe for secure SaaS](https://securestartkit.com/blog/nextjs-15-supabase-stripe-stack): the architectural rationale for the stack. - [How to ship a secure SaaS in a weekend](https://securestartkit.com/blog/ship-saas-weekend): security checks woven through a weekend timeline. - [The secure SaaS launch checklist (7 non-negotiables)](https://securestartkit.com/blog/the-secure-saas-launch-checklist-7-non-negotiables-before-you-go-live): launch-day go/no-go security checks. - [Next.js SEO for SaaS, the complete 2026 guide](https://securestartkit.com/blog/next-js-seo-for-saas-the-complete-2026-guide-to-ranking-your-app): technical SEO for SaaS. - [5 Next.js SaaS templates compared on security (2026)](https://securestartkit.com/blog/saas-template-comparison): honest comparison of SecureStartKit, ShipFast, MakerKit, Supastarter, Nextbase, Divjoy. ## Free security tools - [Supabase RLS Policy Generator](https://securestartkit.com/tools/supabase-rls-policy-generator): generate RLS policies for common access patterns. - [SaaS Security Checklist](https://securestartkit.com/tools/saas-security-checklist): 30-check pre-launch security audit. - [Next.js Security Headers Generator](https://securestartkit.com/tools/nextjs-security-headers): generate a production security-headers config. - [CORS Config Generator](https://securestartkit.com/tools/cors-config-generator): generate CORS configuration for Next.js. - [JSON to Zod](https://securestartkit.com/tools/json-to-zod): convert JSON to Zod schemas. - [JWT Decoder](https://securestartkit.com/tools/jwt-decoder): inspect JWT claims without sending the token over the wire. - [JWT Generator](https://securestartkit.com/tools/jwt-generator): generate signed JWTs for testing. - [Stripe Webhook Verifier](https://securestartkit.com/tools/stripe-webhook-verifier): verify Stripe webhook signatures offline. - [Stripe Fee Calculator](https://securestartkit.com/tools/stripe-fee-calculator): compute the actual net per Stripe transaction. - [SaaS Pricing Calculator](https://securestartkit.com/tools/saas-pricing-calculator): pricing-model decision tool. - [SaaS Tech-Stack Cost Estimator](https://securestartkit.com/tools/saas-tech-stack-cost-estimator): estimate monthly infrastructure costs. - [API Key Generator](https://securestartkit.com/tools/api-key-generator): cryptographically-secure key generator. - [OG Image Preview](https://securestartkit.com/tools/og-image-preview): preview how Open Graph images render across platforms. ## Comparisons - [SecureStartKit vs ShipFast](https://securestartkit.com/compare/securestartkit-vs-shipfast) - [SecureStartKit vs MakerKit](https://securestartkit.com/compare/securestartkit-vs-makerkit) - [SecureStartKit vs Supastarter](https://securestartkit.com/compare/securestartkit-vs-supastarter) - [SecureStartKit vs Divjoy](https://securestartkit.com/compare/securestartkit-vs-divjoy) - [SecureStartKit vs Nextbase](https://securestartkit.com/compare/securestartkit-vs-nextbase) - [One-time vs subscription SaaS billing](https://securestartkit.com/compare/one-time-vs-subscription-saas-billing) ## Use-case hubs - [For indie hackers](https://securestartkit.com/for/indie-hackers): the 5 architectural commitments framed for solo founders. - [For solo developers](https://securestartkit.com/for/solo-developers): architectural defaults as the substitute for a security team. - [Fintech SaaS use case](https://securestartkit.com/use-cases/fintech-saas): patterns for transaction integrity, tenant isolation, PII-safe logging. - [Healthtech SaaS use case](https://securestartkit.com/use-cases/healthtech-saas): patterns for PHI-aware architecture (no HIPAA certification claim). - [Internal tools use case](https://securestartkit.com/use-cases/internal-tools): patterns for RBAC, AAL2 admin gating, audit logging. ## Documentation - [Getting started](https://securestartkit.com/docs): quick-start, project structure, and key concepts. - [Installation](https://securestartkit.com/docs/installation): full setup instructions for Supabase, Stripe, and Resend. - [Configuration](https://securestartkit.com/docs/configuration): central `config.ts` configuration. - [Deployment](https://securestartkit.com/docs/deployment): deploying to Vercel. - [Authentication feature docs](https://securestartkit.com/docs/features/authentication) - [Payments feature docs](https://securestartkit.com/docs/features/payments) - [Database feature docs](https://securestartkit.com/docs/features/database) - [Security feature docs](https://securestartkit.com/docs/features/security) - [Emails feature docs](https://securestartkit.com/docs/features/emails) - [Blog feature docs](https://securestartkit.com/docs/features/blog) - [Claude Code skills feature docs](https://securestartkit.com/docs/features/skills) - [Recipes: Add a Server Action](https://securestartkit.com/docs/recipes/add-server-action): the canonical validate-then-authorize-then-query pattern. - [Recipes: Add a database table](https://securestartkit.com/docs/recipes/add-database-table): SQL + RLS deny-all + type regeneration + Server Action wiring. - [Recipes: Add an OAuth provider](https://securestartkit.com/docs/recipes/add-oauth-provider): GitHub/Apple/Microsoft OAuth with PKCE + redirect-allowlist hardening. - [Recipes: Add an email template](https://securestartkit.com/docs/recipes/add-email-template): React Email template + typed send helper + trigger wiring. - [Recipes: Customize the auth flow](https://securestartkit.com/docs/recipes/customize-auth-flow): extra signup fields, TOS acceptance, allowlists, onboarding redirects. - [Recipes: Add an admin metric](https://securestartkit.com/docs/recipes/add-admin-metric): Server Component metric cards with server-only aggregation. ## Glossary - [Row Level Security (RLS)](https://securestartkit.com/glossary/row-level-security) - [JWT](https://securestartkit.com/glossary/jwt) - [AAL (Authenticator Assurance Level)](https://securestartkit.com/glossary/aal) - [PKCE](https://securestartkit.com/glossary/pkce) - [OAuth](https://securestartkit.com/glossary/oauth) - [Magic link](https://securestartkit.com/glossary/magic-link) - [MFA](https://securestartkit.com/glossary/mfa) - [TOTP](https://securestartkit.com/glossary/totp) - [getClaims](https://securestartkit.com/glossary/getclaims) - [Custom Access Token Hook](https://securestartkit.com/glossary/custom-access-token-hook) - [Server Actions](https://securestartkit.com/glossary/server-actions) - [Zod](https://securestartkit.com/glossary/zod) - [CSP](https://securestartkit.com/glossary/csp) - [CORS](https://securestartkit.com/glossary/cors) - [CSRF](https://securestartkit.com/glossary/csrf) - [XSS](https://securestartkit.com/glossary/xss) - [Rate limiting](https://securestartkit.com/glossary/rate-limiting) - [OWASP Top 10](https://securestartkit.com/glossary/owasp-top-10) - [Backend-only data access](https://securestartkit.com/glossary/backend-only-data-access) - [Service-role key](https://securestartkit.com/glossary/service-role-key) - [Anon key](https://securestartkit.com/glossary/anon-key) - [Stripe webhook signature verification](https://securestartkit.com/glossary/stripe-webhook-signature-verification) - [Idempotency](https://securestartkit.com/glossary/idempotency) - [IDOR](https://securestartkit.com/glossary/idor) - [Vibe coding](https://securestartkit.com/glossary/vibe-coding) - [@supabase/ssr](https://securestartkit.com/glossary/supabase-ssr) - [Full glossary index](https://securestartkit.com/glossary)