Skip to content
Proyecta Docs

Security Audit

Ask the AI to review your app’s security posture, follow the best practices below, and keep secrets in the Settings page.

Security in Proyecta is handled by a mix of platform defaults, AI-driven reviews, and a few habits you should build. Here’s how to think about it.

Run a security audit

Section titled “Run a security audit”

Open the Command Palette (Cmd+K / Ctrl+K) and select Run Security Audit. This sends a comprehensive security prompt to the AI, which reads your entire codebase and surfaces vulnerabilities with prioritized findings and specific fixes.

The audit checks for:

  • Hardcoded API keys, tokens, or passwords in source files
  • VITE_-prefixed env vars that leak secrets to the client
  • Missing server-side input validation on API endpoints
  • Authentication and authorization gaps
  • Unescaped user content (XSS risks)
  • Dependency vulnerabilities
  • Mixed content or hardcoded http:// URLs

You can also run a security audit manually from the chat, or narrow it to a specific area:

  • "Review my checkout flow for security issues"
  • "Check the admin pages — who can access what?"
  • "Look at every endpoint that writes to the database and tell me if any of them are missing authorization"

Security best practices

Section titled “Security best practices”

Keep secrets secure

  • Store every API key, database credential, and third-party token in the Environment Variables section of the Settings page
  • Never paste secrets into chat messages or commit them to code
  • If a secret is exposed, revoke it with the third-party provider immediately and create a new one

Limit access

  • Implement role-based permissions in your app ("Add admin and member roles. Only admins can access /admin pages.")
  • Restrict sensitive pages and endpoints to authenticated users
  • Always validate user input on the server side, never just on the client

Use HTTPS everywhere

  • All published Proyecta apps are served over HTTPS automatically
  • SSL certificates are provisioned and renewed for you
  • For custom domains, the same applies once DNS is pointed correctly

Keep dependencies updated

  • Ask the AI periodically: "Check my dependencies for known security vulnerabilities and upgrade the vulnerable ones."
  • Review what the AI changes — dependency upgrades sometimes include breaking changes

Audit after big changes

  • Re-run an audit after adding authentication, payments, file uploads, or anything that touches user data
  • Before publishing to production for the first time, do a clean sweep

What Proyecta handles for you

Section titled “What Proyecta handles for you”
  • HTTPS and certificates for your *.proyecta.live subdomain and custom domains
  • Environment variable encryption — secrets are stored securely and injected at runtime, never committed
  • Isolated runtimes — each project runs in its own container, so dev-environment issues don’t affect other users

Tips

Section titled “Tips”
  • Run an audit before your first publish — a clean sweep catches issues before they go live.
  • Re-run after big changes — adding auth, payments, or file uploads introduces new attack surface.
  • Narrow the scope — audits on specific areas are faster and more thorough than full-app sweeps.