The Solo Founder's 10-Minute Security Routine (No Security Team Required)

Every security article you read assumes you have a team. A SecOps lead. A compliance manager. Someone whose entire job is reading Snyk dashboards and triaging CVEs in your container base images. You have none of that. You have a Cursor window, a Supabase project, a Vercel deploy, and a launch deadline. The good news: you do not need an enterprise security program to ship something that will not embarrass you. You need a routine. Ten minutes, once a week, that catches the things that actually break solo founder apps. Not theoretical supply chain attacks. Not nation state APTs. The boring stuff: an exposed API key in a client bundle, a Supabase table with RLS disabled, a CORS policy set to wildcard, an admin endpoint with no auth check. This is the routine I run on my own projects, and the one Guardian was built to automate. You can do most of it manually in ten minutes. Set a recurring calendar block, do it every Friday afternoon, and you will catch 90% of the issues that actually matter for an app at your stage.

02Minutes 1-4: Audit your secrets and environment variables

Open your repo and search for anything that looks like a key. grep for sk_, pk_live, eyJ, AIza, and any string longer than 30 characters that does not have a comment next to it. You are looking for two things. First, secrets committed to git history, even in old commits. If you find one, rotate it immediately. The fact that you removed it in a later commit does not matter. GitHub indexes everything, and bots scrape new commits within seconds of a push. Second, secrets that are correctly in .env but get bundled into your client. If you are using Next.js or Vite, anything prefixed with NEXT_PUBLIC_ or VITE_ ships to the browser. Open your built app, view source, and search for your API keys. If you see your Stripe secret key, your OpenAI key, or your Supabase service role key in the bundle, stop everything and fix it. Service role keys especially. They bypass RLS and give full database access to anyone who views source on your site. Move them to server-only routes, edge functions, or API endpoints. Five minutes here can save you a five figure cloud bill.

03Minutes 5-7: Check Supabase RLS and auth boundaries

Open your Supabase dashboard and go to the table editor. Every table that contains user data needs Row Level Security enabled. Not most tables. Every one. The default in Supabase is RLS off, which means once you expose your anon key on the client (which you must), anyone can SELECT from any table. Click into each table, check the RLS toggle, and verify there is at least one policy. Then test it. Open an incognito window, sign in as a different user, and try to read another user's row. If it works, your policy is broken. While you are there, check your storage buckets. Public buckets are fine for marketing assets. They are not fine for user uploads, invoices, or anything else that should be private. If you are not using Supabase, the equivalent applies. Check that your ORM or query layer is filtering by user ID at the database level, not just in your application code. Application level checks fail the moment someone hits your API directly with a forged user ID.

04Minutes 8-10: Test your auth and ship the fixes

Pick one protected endpoint. An admin route, a billing webhook, a user data endpoint. Hit it with curl, no auth header. It should return 401. Hit it with a valid token from a different user. It should return 403 or filter the response correctly. Do this for one new endpoint every week and you will eventually cover your whole API. Check your CORS config too. Open your network tab on a request to your API and look at the Access-Control-Allow-Origin header. If it says *, anyone can call your API from any origin, including a phishing page that steals user sessions. Lock it down to your actual domain. That is the routine. Ten minutes, four areas, every week. If you want this automated, that is what Guardian does. Point it at your repo and your deployed app, and it runs all of these checks plus the ones that take longer than ten minutes. But even if you never use a tool, the routine itself is the thing. Set the calendar block now, before you forget.